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Abstract of JP2001 03651 7 

PROBLEM TO BE SOLVED: To provide a 
system to limit access to contents of transmission 
program such as television program. SOLUTION: 
A transmitter or a head end server is used by a 
service provider to transmit encrypted 
programming contents to one or a plurality of 
customers. A program identifier (p) used to 
identify a program is transmitted to the customers 
together with programming contents. Each 
customer uses a set-top terminal or an 
interpretation key to provide a limited access to 
transmission multimedia information as other 
device. The set-top terminal 400 or the like 
receives entitlement information corresponding to 
a package of one or a plurality of programs that 
can normally be received for a period from a 
head end. 
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(B) :^^^< locOVX^-^-^jgftl.Xx-yT 
•r-g. ^ 1 J; Off^crn^^^ A^-&Mi,^|. ^ 1 J; D 

(D ) iffiaBi^'fbt^cTo:?'-7A&frfErn^'7i=.iD3iJ 
■y ^^MiAio 1 -jffmmtLiz b ttrat -ri-if *ii 

limm ] ( E ) lulSxy Ki-tftiJ; Ofl/^rn 

[it*iM4 ] TMicx > Y h li A y V mm^i , mti 

xy Hjl— >f(,:;J; 'Jt5/c7"P;7 -7/.(7.)-t ••/ I-(cSo < 

^„ 

im^m 5 ] tulBxy H^-if (i. IB'lt^ix/iHfrlBx 
yf^ V)V^yvmmt^^m%irx}^yj^^~i%tt: 

[ mm 6 ] tuiE7°n ^y j^mmimtmmtru 

^yM.!nWMttUz4 y9-')~y'^ixh:itim. 
ixmt^fih ; t immt-thtmrn i iBMt^*-ffi, 

[If aSiIS ] HiSciOxy K^-- tf- trn^-^A JMfi 
(A) 7°n^-^A|iSiJi^&:&-r^7°n^''^A&. HfrlBT 

■yTt. 

^ ^miBxy K^-if t^Mfi-r-sxT >y r t ^*-r «. i 



Mirny' yAM^l^f-cOnli'y ^^O^a^^^m^^l^rfE^^ 

[ft^ll 10] ( C ) mfiaxy H^-- tf- 1 j; 19 ft/ST 
n^''^Aco-fe -y btiS-s'v^TtfilBxy F:i-— If' tixy^J' 

iimmi 1 ] miaxy^^ h)i?<yhmmut. m 
^-7U-(^-gi;&^tf<ri:&!^ittt-sif*]ii oiB 
[ mm 1 2 ] friax y v^-^n . fee s tLt^mM 

y^y^AViV^yV if 4 t?IB7°n 5 a ^ - ^ # |> 
if*3Ii oiB^co^rsS^ 

[ft*is 1 3 ] mtruyy2^mmm%m^\\.r 

n^^Ac^Mflt t ^) {zA y^- y-r^iil. ; t 
±t-}Ifl Sill>ii^#Si:t-|. If 8 IBis^O^ 

a. 

[11*111 5] ^-^< ti, locoroi/^AyN-.y^- 
v^tMJtE-ri.To^^i.&l^iOxy H^-if tcMfit- 

( A ) frISxy K:I.-^ft J; "9t#/crn^^7Ac^-fe>y h 

icK-'i^>-Cm1Bx> Kj.— tftcxy^-^ b;i/;<yMf|g 
^Jlft^SXT^yrt. 

(B) rni5''7Aiisij^£*-r4rn^'-7A&, iriBr 
o'< vxiJ'-=3r-tcyN >y i^^mwAwm\mmt ^ 
■yrt. 

{ C ) Bf^-fk^fL/irnr^A 1 1 ititulBrn^^A 
i^S'J^ &|frfExy K^-TtciUfi-r-SXr -y Tt t § 

(f, |irlBxyKjL-Hf{4fE'lt$fLfcxy^^ b;Myb 

fflfg*^f.|friETp^ 7 A=^-^ff !> i t ^^^St t-l.:^ 

[ff^iMl 6 ] irlETn^-^Ail^imin h--y 

MiBrn^'^Ai^sij^iOMjs-ri. f-y vmz^-^x. m 

lETn ^' 7 l^mVf-<n n t' >y h C^fSa^tL^fLt: MIE^ > 

-y y^min 1 -^AW^ix-g. ; t ^m.b^mm 

1 5fEtt(7)^r^£, 

[ft^ill 7] iTiBxy^^f h;k;>{yhffifga4, M 
IBxyK^-ift^J: '9#3tTn^''7AiO-i2>y bt;So'< 

^~V^)~<^-%-k^^'Ch^^'^h'fhmim.\ SIB 

[ff^il 1 8 ] ffliaxy K^-- tf ii. lEeStiZ-cluia 
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[ iMH 1 9 ] luiaro ^- y M^mmumm^itr 

( A ) IfflBTo^-^Ai^rnA-^ ^'~i^^^mmWM:bm 

( B ) rni^yj^^-X'^^t^fifzvsn^tr^^yJ^ 

tru y y AiiSlJ^ i Sfl^ l. X ^ .y 7° h , 

{ c ) mmr^yyiM^mmi^-'v v-mim 

( D ) |tfiaTO:/7A^-&ffll^TinEHi-t'fbro^''7 
[it5^]l2 2] WMrn^yM.mm^iin\L-yhP^ 

-7 u -^i^^s^is ; t mwLbi-im^2 1 laK 

(A) l?ia7°P^'^A£7)7°nA-f ^■-j&^ib. 

( B ) rn^'-yj^^-'cn^it^tifzm^itrrt^^'yj^ 
}iru^-yi.mw\Ti Sff -f - hXT^rt. 

{ c ) wmruyyi^m\\'f(^fU U fltS-S^-^T 15 

D mtarn^-^ AiisiMt;-tijia4irHi^-A-^>^-7 y 
( D ) ffiiarn^^A^-^ffli^TirlEBt-^-fCrni/^ 

[m^m2 4 ] luiarn^^AiESlJ-f {±n t'.y ht-^ 

Mia^r9l^-(i;mlB^-7 'J -i^P^/t- r izm^ 'pm 
7 - K tMJtE L . luia^ ^ 'y ^ ^ MStimf a^r^l^ - (I n 

- r mmm^ti^ ^ t mwitt6m-^m2 siatfe^o^ 



5 ] xy K^— !fX(7)r^-fex&MRSt-|. 

(A) vx^-^-fcayb°^-^fI^fc ^)^tg3-K 

( B ) mia ^ ^ y - ^zmi¥m^z-j ^ ^ r n ^r .y -9- 1 

( a ) i^'jmm^hru^yl.Mmmiirxj 

ifyMzm'om. 

(b) ^-^< 10(^^X^-df-SrS*^. 

( c ) iffarn^'7i.iDSiJW>'^-^yfitc»o%^Tir 

favx3'-^-tc^-=5r< t h i-:>coj^yi^^mmimm 

-ri> ; t j; D 7°ni/7A^-Srfflv^Ttuia7°n^''5i. 

( d ) mirT3^^'yM,m^\^b t i^tcaff-^tra^^A 

[ imm 2 6] X y K JL-Hf' - iziPi-tiT^-^x mi 

Pfi S ii/-^ r p ^- 7 A ^ i*ji-ri> ^ X X/. t . 

(A) vx^-:5f-*3j;Vayh°i-^M;=^KD^tg3 

( B ) iria^^ y-tciJf^±o^;i)^"-3;^c7°o-fe y^-b 
fria7°n^r"/if-i±. 

( a ) mtirnf^yJ^mmi'cDfy humti^'M-^ 
^i-U -fitcS-lJ'V VX ^ - ^ -y ^ a MIt & H 
Wt^jiM ^tt:J;'5T#^5iXl.7°P^'7Adr-& 

ffli^T. rn^^yj^mm^-tmr^i^yj^isi^ 

{ b ) Miexy KrL— f-tifff-t'fts^D^igrp^^A 
tiximir^^'y^mmmm-^ x a t^iis-ri. 

[if*ll2 7 ] Bf^-ft^iXJ^^rp^^ A&rn- 

(A) vx^-=^f-ioJ;i;^'3yfc°j.-^|f^E'9^t^3 
-F^iaiit-|.;':*y-t. 

( B ) pfa^q^y-t:i6{iH±o^*i'5/-c7°p^-y-9--t 
^^■L. MiaTP-fe-y-tf-Ji. 

(a) mmmm^zXoxn^tL6ru^-yi,co^'yViz 

a^X^-'yy-tOgPi^^-ttfxy^^ h;^;^yF'|f|g 

^i^TPi/^Ac^rp^N'-Y y-h-i^^mi. 

(b) TPi5''7A=3r-t3i')TBi-t'fk§>fl5taff-'ftTP 

^'■'^A. fci;t^7°p^'-7A|iSiJ^^gftL. 

( c ) |fifETn^-7AiiSMj;t/'mia=^--yy-£^iB 
It $ tL/iifrf agi5^^5!j^ frierp ^- 5 A ^ - & f#T . 

( d ) ifieTP^''7A^-2rffll^TluiaBi-^'ft7°Pi?'7 

A, 

[iMil2 8] ^ye^-^-il^EO^fgn-K^ 
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(b) 'yts:<Xi,—0(^^7.9-^-^m.^. 

{ c ) mtiruy'yM.m7s^\Tffv\Ai-']~mzm-3v'.x 

mmm $ titz > t ^ - ^ mm ^nm^x-h ^ 
X. m^y\fj.-mm'o^mmmi¥mz^ 

( a ) m9mmizi'oXn^ii^rn^yJ^(7)'t^y Viz 
^i^rn^'-'5Ai7)rnAW t"-*^/^SfiL. ( b ) 7°n 

^'■■yM.^-^.zi.■',xm^it$ilf^m^■itr^31fyM,. ^ 

( c ) mMr\3^'yM,mmtiXimm^-'yo~(^m 

( d ) mtir^^yi.^-^m\-^XmW^m^rxiyy 
j>.immth^bim^t-tt^y\^:x.-m?m^^ 
mm. 

[00 0 1] 

^nm^cnri^^x^Wm-ti^x^MzYML. ^\,z. 

rni^-yj^mmth(D^Z'm^j:mm^~mhfz^ 

iz^ Mimiifzj^y^'^ hn^yhwmtpiiz. ^-vh 

i:m^xmM$tifzru / y i^immth ^-xta tcw 

[0 0 0 2] 

mmmm ] -f p a ynm^mm^mt^i-^y 
^^'7 s ymm(^Mmi^mt h ^zmy, r^tva yn 

li^i^ A □ i^^a ^ ii^ S it ^ ^ y ^^;ut-7°n y A 

m&f^zm^^fi ^ ^ ^° -y i^'OP^f|{±-Mt: v-^x ^ 

yi^'mmxhh., fX7°n7s;^ ^'-(j;*^^ 

'9t?)7°n^-^A*^A,^T07°n^'7A. mi^iJOlS*?)*! 
[0003] -t-b'XTny\M r-{±al^. r^,.^ |ix 

y K J t if ^1 !> }Mff ^i:coffi?g:/\ t X 1^ f i;^ 3 

ruyy^y9'cr)-m^)Mzm^mh^. mui. 



~f^^mm<7^ii 0 ^mm^s^mmzi^-^xnti'T^Kx- 

mcr}Mzr-a^'yAcr>T^^7^'i:%m<fltMz^ ^- 
S -f/L ( S TT ) ^m.mh . ^ c7) i a ^r^ffit-. ^: -y 

h h y 7° ^ - 5 -riwm'^im.m'SLit l . n^g^mi. 

[0004]-fe-yhh >yT^-S^;t/tIfE'ISSil5t«^ 

>mm\Mm.<^%w^mm/Hz-thfz'>h. ^^vv -y 

S , ^r ^ ^ T;>t t u ^T(i=5r < ^ y^ ^°- 

^'^mx-h i^tt^^K. ^m^mmmz^ -^urn 

i/yl.-tt ^ t !> . Se^t'J-fe •/ I- 1- y 7°^- 5 i- 

X. Mm^ti^^-mmmixitw -^--fxr 
nA-^ r-fmi^t^^^-yy-'jmmmixit 
0 . EM^i}Lcom-^mm^z^-\^xr\3JU f"-t^7"^- 

-X'hhztmh. 

[000 5] m%cr)-\i }^ b .y r 9 - 5 lit , 'f- 1" 
MJtEf t" 7 hxy h y t" >y 

m^Xhmf. -b -y h h -y7°^S7- S-f;l/t:|B'fiSfl2. f 

•y^K^^;K:^^^tl>b■•■y hxyNU-iJ rij {z^.; 

^X(^)rviyyM±--^ir)iy~xmmt^Kh . ru^' 
yJ^i:^iilt. -fev bb-7 7°^-S^;W±. f>yh^ 
^ b/L'tT^'-feX t . MJtbt-S f -y hxy h U 'y 

-*i-b'y h§^lTV^ilH\ -t 'y h h 'yT^- S -h/Hi^ 

o0fEii§ tL/iHf ^ts^ ffl^ 7°n^- 7 A i mm-ti , 

[0006] mmn±^^^y^~'J (^^y^-^Jlt-^ 
t;-0<7)7°n^-7AT-fflj£t-§ ) tMt-OiOf.y bX 

yhU-t: m^~t^ >! i: i 0 f -y h ^ ^ h 

> x^At;fc(ti>r^^rxsij«f'.y ^;^t^3^t 

SxybU-tCir.TMWtC^^'^il, Hf-f-e^J (cryp 
tographic) Tli^V^o 1^-:.T, Lffi^^^t'^y h a;^/ 
^Ti^f-yb^ rij t^-b^yb^l,; 
t tiK'^ fill , W^fi^T i^7°n 5 A r !> 
Zht^X^XLto. 

[0007] tfz. Tn^-'yM.i^J'iyy-'JiZ-^if^ 
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fi/ 3 y^-^- S „ -b -y b h -y r ^- 5 

^t-/^->>'i^ig|+t:i^v^T*$);tt&$'JRgL-(: ltd. 

[00 08] ^<D^d^^rui^yi.mm^-itLmii 

■y 7° 3^ - 5 -f-Zl. (7)M[Ii| § il/i -t ^ i r X 1 1 J > 

it^tc ^mcoru / 7 A ^ # t^#i^i?5P4- 1. V V 7 jr - > 
; t mmi>zix^^^s^\ mmmin 

110 8/9 1 2 1 86 ( 1 997:^8^ 1 5Ht±i^) l,Z 

^•f^ w^co r ^ -(r ^ MRS-r s vs^^mifmii ^ if mm 

mm^fix\-^i. 

[00 09] Vspacei- XrAlciiltr^^vp/ yi^fi. 
7° P 7 A=3r- k p & M V iliiOM t A. .y K X y 

!i. ^^^'-^-Mi7)^46A>ix/--lr-y h(7)^ff^ffl;?^^^? 

s§^itr^^''y ^y^'iH^trnzmm^Ki . w^c?)^ 

-yhh ■yr^-ii-Mi. SftL/STn^-^AiiSiJ^ P 
aXUm^ztm L /ix y ^ ^ b /i-^ y b ffilgco;^*^;?;^ fbflf 

7 .y ^^'^ ^ ffi (:te5Si^-f t ( Tn ^-^-A t ikizr 

n^-5AiiSIJ^C0^«i§fl|, ) ^Ktt«3^l>VN°-y^r 
- i^' S HJI gt: L ^ Bf W W r ^ -b X Mffll^ A 
^fl«t-|.„ ^:€5r^., MJtE-rS^^N-^y^-i^'ttt^rn 

[00 10] 

■y Kxy K^?--y^'^fflv^T^f-t:■X7°^y^M ^-t' J; o 

T 1 h L<mmi(DmMiz5m-it^tifzr^^-'y 5 y^'' 
^S^^'ilfl § ^il. „ 7°n / ^ A ^ tisijt- 1, I > -s. r 

mm^'--^m\ ^xwe-^jv^^^ t ^ rtt igtMPi^ ntz 

s i-Mmmm mmiz^miz^mxt i> 1 1 l < ii 

7° n / 7 A toy N° 7 - y tcME^-t I. x y ^ ^ f 



;>< y Mffg^'v-y Kxy Yt-^^mtt . 
[00 11] #7°ni?-'7A{iTn^''^A^-kpSrfflM 
T3ilftiOtfft:^>y Kxy KHf-ys;t i DHf-^-ftSiil. , 
ji(7)7°n:;''7 A^-k p ti^iOTo^- 7 Atc^-- ^ 5: 

fttSP-tt. -^-y FxyFt;--A'(i-fe.y b h ■yT^'-S 
;WC7°n^-^ AUSOi^P ^mm-ft . ^-/YY -y 

- 5 -f ;l/ii;lE'[i$ ^i^c x y ^ ^ b y b ftffi t ft 
fiL!t7°n^'^AiiSiJi^P^J^lv\ 7°n^-7A&SlfI1- 

b 'y r^' - 5 -^;W4f a« § tlSfi § ^/Sffifg ^ ffl I Bf 
^ih§fL/S7°n^-'7A^-kp^#|>; ^co 
f*T-^c7)7°n^'"^ AJf-kp ^ffli ^TBf ^{b§ii/-crn 

^5^7AiiS'Jl^p{±. 7°n^^A(7)^(;:^L>f y^-'J 

[0012] m\trnfyl.t:^mtthffi^zm\^^fl 
5k-t''v b7°D/vA^^-k,i/)-ciL-rtl(±, -7X9 

- - m 1 i t < }i ijSi^iim -7 > y Ay N -y y A Mil 

So 1^-5^. ^^>y;^^MitHi±kh^y^y^'^^y-f[l& 

KO, 2kc^;^§w^^-fy-ffi^f^i,, A.v>,xK]a 

HcOtf}ll(i:k-f 'y bA-f:^U-ttiOWllotll| t IX 
^t^tii^X'^^. ^^X\ Ho«§igyN>yy^MiS[fO 

-y ^^Mic(7)aj^i?)*^ t LT^ij-rs ^ t 

I., 

[ 0 0 1 3 ] f^Jt LT. rn/7AiiSlJ^pi7).^h--y b 

f5gc7)*tj|;^l> A/ ^ y -imzm-}X . '^x9~^-\z 
CiLTn/^A^giJ^pA^mf.y b*^A>^l.c^t-* 

wi^pmmt^ f-y bfit^K-sTrn^"^ AHM^ P 
(7)n(7)\L^y him^tiwziiLxmm^fi^ . mmz 

tt. ^N^y y^^MI^Ho S /SttHiiO-^^irn^-^AliSiJ 
-tjiffl^iX-^^ -eOf^-C-. ^OCD (n-1 ) t'-ybfi 

m^nm^zni. Kimi^y h<^^ui-omizm'o 

X . ffWN -y y ^?imoSllt:y> >y y ^PSicHo t /ifi 

r<^xdi'zmt^tti^x^6. 
mi] 

[00 14] i^0j;3^:y^-yyAM±, 7y-tO;k- 
b 2 ^ -=3r-m:^iEgS^lT I ^ l> J; 3 ^ n K/bA' 
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xmt^ t ^ . mm<Dm<Dy u~]y^i ( n ) *^ 

H 1 ^ilfflt- 1, i fc t J; *3 7 U - & <! t *^"T'§ 

T (u) {±y-Ku^;^-^fc-rl.-»?-7■■7U-. h|]*>. 

u (u l,...,ur) \,znLX. -f:/7U-T ( u ) ti3 
^tl>fnri^^0T^7•7A^O^-&iJ^^>y>';LMi£& (n- 

[0 0 15] 

0 Oc^ J: a=5:JMft^&Mv->-r^-t"X7°pA'^ 
liU<{i1ti5[i7)lEft^..yby-^l 10&^tT^r■y 
h h -y r 5 -^;P4 0 0 ~4 0 1 S 1 i> t < {± 

'\< I X h h -. .1 1^-)^ 7 Kx >- s- 3 0 0 \im 3 (C 

M3i LTTt"^!^ L . -y h h 'y r^'- 5 -fJVA 0 0 (± 
Nb'yr^'-5-f;t/{±. j»i!^-&fflMTjSfi§ix^c^ 

o -7 h h ■/ 7° ^ - s ;^*^'*^T ^ ^ V 7 h X r 

Tiiv^ ^-yhv-^l 1 0{±f >^'^;k-rx7-^ 
-fX ( D S ST" ) j; a t£ruy=y 5 y^'rt^^ldft 

tVay^-yhy-^ (CATV) , i^«3S^^-.>y h7 
(PSTN) , 3te:t-yhy-^', I SDN. AV^ 
'y biO i 0 ^rWiH^^ -y h y-^' t -ri. i t 

[0 0 16] ^:■y^^•yr^-S:^;^'4 0 0{±A.vFX 

y ^■-9--^^-3 0 o>ei^^>xyiS?^ viv^yym.'km:. 

wt^gftL, S)i.B#rBMcorBi (Miff. iiAjsii^) m 

1 i L < i±^la<7)y^° -y i?i,zmft z t px^ t . 

rrt^^'yMi: rPfi^'g ycoxty-K^Blftlicoj; d 



ts'^^^'-Tmj^tfzmiij^ruvnjviimv^x^'y 

Kxy F-9--yS-3 0 0*^^>-fe>y h b -yr9~^i-}VA 
0 0 {zy-^ yu~ Y^hZb tiK'^ t . 
[0017] 7°n^7A^-fc iWrn^-^ 
^3Mft7°n^'7AJ±7°n^-7Adf-kp ^Ml^T^-y F 
xy F-tf-^^'-S 0 0 i-^THf^-fkSixl. „ ii^Tn 
5 A - k p { ± 7° n ^- ^ t ^ - y t c?) t" !> ; 
t A^t-I^ !> „ M^Hf ^-fkii j;t/'^r=^ a 'J ^ ^ -mi\Z 
mLXli. -XW.. B. Schneier, Applied Cryptography (2 

d ed. mi)\ztm^tix^^h, mmtruif'yj^<7:i^ 

m^zMtX. ^-y FxyF^^-vs;-3 0 0{i-fe>y F F 'y 

r^- 5 -^;l^4 0 0 n f'y F7°n^-5 AiiSiJ^ & 

^i-Lii, IB'lt$ix/ixy^^ F;^tt#i:^:it 
-b 'y F F 'y 7°^- S i-)VA 0 0 J; -^TfflV ^ (itl. TX 

[0018] rn^'^A^torn^-^Afisij^tosiJD 

^Pii;tti;(ciaH'fa-.i^.)Tiii'vv, fit Lvmmimza 
wx. 7°n ^ mm-t- V (,i M 1 ' K G - 2 w^{zm& § 

tL7t:ECM7 I'-zPFtrCj^USiL^S 2tr>y Fffi^^^i 

yM.<^^=L-^-Xhtl\f. -fe >y F F >y7°^-S:^;^ 
4 0 0(±IB'lt§fL^fi$tL)tffllS*^'^Tn^'7Adf-k 

1-|> J; 3 tyny yA:^-kp Srfflv i^, t . 

[0019] ^%m<DWj:m'mzi.fi\f. ^^imm 

TDiJ''^ A k f -y F £0Tn:/7 A^- k p 
<7)^ixm{i, '?X9~^~m\,Z 1 i L<{±«^(7)Ml:l 

^y^-A^N >y i^:Lmm^mm-fh ztizi^'m^b 

if;. 0. Goldreich et al., "How to Construct Random 
Functions, "J. ACM, 33:792-807(1986)(:|Sa§ixTV^ 

[ 0 0 2 0 ] LT. imm'^l,Z-t^a.7Xh 0 , ^ 

§ i2miz-tiJ\-yi^^mmiaTcDX a tfflv^i. . 

H : {O.K {0.1} 2k 

k{i7°P^'-7A=^-kp£0^§T-|)l.„ Is^o 

T . yN .y y^mmmi k h" -y Fioys-^ t U -ffi^E 0 . 

£ti:?J{ik f >y F^N'-Y y -fficDMHo t Hi t LT^-Td 
^i-C'. Ho{4^^-yi^irai:H^^f}lI^OS 

(i£»f.y F ) T-$) D . H {1} -y i-^iPB 
aH(7)tli^£7)MIM (M|IJffit'-yF) Xhh. Hot 
Hi ttj^ij^ ^7)y^ -y ^-jtMSi: D?^^ t ti^X^ h . 
[002 1 ] k = 1 6 OXMf. Htt. -XM. Secure 
Hasli Standard, National Institute of Standards an 
d Technology, NIST FTPS PUB 180-1, U. S. Dept. of 
Commerce (Apr 11, 1995) tiaaStll> J; 3 'y ^ 

^mmsHA-ii:m^^xmm-t6czti^x^t, hp 



(7) ^2 001-36517 (P2001-36517A) 



ib. HoJiSHA-l (x II 0) fc^rO. HitiSHA- 
1 (x il 1 ) t^rS, ^^X\ Ofc Ifi^m^TO 

[00 22] Tn^-^A^-kpii:, Tn^'-^AfiSiJi^ 
P y -fgt:|^!':'T^X^-df-mt: 1 L < 

i.;t*iT'^i>„ mtix. 7°n^'-5Adf-kp(±, r 

Alt^iJ^ P n O f y b ^iLSc0^i^m^:^^ >y ^^P^i^ 

[0 0 2 3] mmZ}\^yiy^fm.V[f>tfz\miC0-l5t^ 
fflSilS. ^i7)fi-C\ aO^?) (n-l) b'yhfiS^il 
|,b.7 ho^fU-j-^j-mz^-^X. MO^^•yv'Afi^tH« 
•CfiBi-r I. i 0 . i ^?)^^ >y ^^fimimTiO J: o 

*.=^,.(-^^(^« ('"))■■■) 

[0024] ±ai<7)J: a tc. A..y Kxy 0 
OJiBf-^-ftrn^^^Afc fc i Aitsrj^ p 

'7YV-/7"9-i.-f>VA{]{) \mmr^y'yM.ffMm^z 
ffl V ^ ix ^ r n ^- 5 A ^ - k p ^ f# ( m ( f ^ A. ^: ^ -> , 
J: ^ . r n ^- ^ A ^ - k p (i; r n ^-"^ AiMO^ 
P WS-^ :h ij -fitct^-^ T ^-^-m(Cl t < (± 

aij£^^> ^y i^:2.mmmmzMm-th ^h\,zk-^ t# 

rn:/7Adf-kp{4, TX-mm-h 

^■■^AfiSiJ^ P ^ TO^tfflV^TH^fiO-b -y b b >y 
-S-^;L'4 0 Otc j;'5T#ii>^i^{m(?=5r^>=5rV^. 
[0 0 2 5] .^--yy- 

A^giJ^ P £7)y^M U -fflt;|^'> T i^'-^-m 1 

L< iiMAto^^ 'v'y:i-mmmmmzm\^h ^ 1 i 

m^fflv^l,, 7°n^7AiiSy^pi?)b-y bJ4p = 

(Pi P„) bLxm-f^btin'%h. ii-c. Pi 

(±^ffib'.yNT3^o, m^my^vYX'ht. rn^'^ 

A^'J^^P &^-rS7°n^''5At:M^|>Bi^^[:df-k, 
[i5[3] 



[0026] ^N>yS/jLM#{±. ll2lcS^Uc^-7y- 

2 0 0 <7) j; 3 n -f y -7 y -T 1 1 

TS-f-d t t-x-% I. „ H 2 1:^^ L/t^-'y y - 2 0 0 
\i. 3b-'y bA^ib^l>7°n^"5Aii3lJ^P^^t-|.^^ 
W:MJ55-ri>, El2t;7Kt-J;at. VX^-^-m*J7 
y-2 0 0O;l'-h2 1 Ot:BaMSixl>„ 7°n^"7Adf 
-kpttU-7y-F2 4 0-2 4 7iOj:5^y-77 
~Yl,zni&~th. TU-7y-K2 4 3i^rni^^Adr 
-kptcWtCf I.^^T'y^'XO 1 lcrii.o^j:m2\Z7^ 
■r#7°n^''^A=?f-kpt:>5fJE-tl>^ VT'y^X(±, ;^ 
-1-21 0/j^A,y-7y-K24 3^i^^-7y-2 0 
0&JiL■CW^°X^^-r, Mi{f. 24 3i^rn^'5A 

K2 2 0*^^5<;0#X>yi;^ (Hi ) . y-F2 3 23f)^i^c^ 
^rx.yi; (Hi) hfzKh^Uz^-,x%h^hffix:% 

fiP*>, Ho*i■Hl//m2W^•y^alSS^^B^^}lffl$ 
til> . rn:^- 7 A^- kpo 1 1 ^ #1- - fc § „ 
[0027] MoT, y-K24 3i^j;a^7-HuiO 
;l^-l-2 1 0*^A,y-Hu^iO^N°;icox-yi>' 
}L(n'j'<^}V^W^l,fz%,(ntt£'^x\^h. #y-FV)7 
'<.;H4rn^'7AiiSiJ^pT«-rSit*^'T#l.. 7 
- F u &;t^- h fc -r -9-7^7 y - ^ll-t^cft t ( HP% , 
7- K u O-tf 7"7 y - t;i5(t S 'J - 7 dMiE-f 7"n / 

7Ailij^iJi^P(7jb-y i-r^^/c*^(:;) , r ( u ) im\^ 

^ill. ^~'y^J-2 0 0iZiHfm^r{zmhP^^ 

J~ K u (4. gP^Wo^ P ( u 1 

uj &^rL. .rfLA.t:^L. ^f7'7U-T ( u ) 

S , 7 - K u ^0^f 7-7 y - (C (t l> V ^-f ^17) 7°n 5- A 
7)^-*i)VN'y^AMa^ (n-r) H^l^ij^-frl, ^ t 

>-AllS:Hoi/-c{4Hi^rn^'-^A|i^iJ^p7) (n- 
r ) c^ffiv^ffic?)b.y h ^ix^'iic^fi*«t-|> J: 0 tffl 
v^S. fi^-^T. y-Fut:MJtGt-|.rn^^Adf-kp 
J~^Mm^V^)~{zmh^X<7TTuy'yK\Z 

I. 

[ 0 0 2 8 ] t mmmmm yi^-2.^^^xhti 

Adr-<7)^.yby^'-kp{0,l>n^(0.1}k«»i7yrA 

mmx'hh.. zmz-)\^x\±-xm. o. coidrdch et a 

1., "How toConstruct Random Functions," J. ACM, 3 
3 : 792-807 (1986) t^lBK § tlT V ^ I, , 

[0029] i-xf-Aay^^-^-yh. 
UStt^v-y Kxy KHf-ys-3 0 0<7)7-^t^ ^'■^'■v 

-&s;^7'n-y^iaT-$)^„ ^vHxyKti. r^bi^' 

gy^-yby-y. ^~y)vmm^. t'J9)v%El^~ 
bxaffl#. I ^(ief^fhrn y^ 5 y y Mi 
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kt^^t . A. -y Kxy K-ff-ys;- 3 0 0 m\ 
X.{f . IBM Corp. MJg-ri. R S 6 0 0 OHfWN'-tcTH 

I. ; t A^'T- # o ^ -y F X y F tf-^ 3 0 0 ic{i7°n 
■fe-y-9--3 1 0iij:l/T-^IE®T^-^^X3 2 0Oj;9 
^j:mm-t^^^O -^mit . 7°n^r-/-9--3 1 0«* 
-orn^r .y-tf- 1 LT i < , MMlcMf^^t 

IB'ISt-'>'-< X320^ROMt:ltL< 

mm^. rp-tr-y^f-3 1 os&iBoait. )»«?t. m 

[00 30] 0 iz, r~9tmT^<^ ^ 3 2 0 

ixmm-ti X 0 1:. r-nmi'fU x 3 2 o^rn 

77Ar-3''^-.X 5 0 0 *rW-f I) , rviy^l^r—^ 

K-x 5 0 ourn^^'yM.m^^lf-pm.tf^rxiy'yA 
7 . 8 mmixmmt^ mz^ T-mm'^u x 

3 2 0{±xy^'-^ h;l';><ybffl|giEfi7°O-feX7 0 0i3 

j;txrn^'7i^iE^irn-fex 8 0 0 « 

[ 0 0 3 1 ] -JIRt;. xy^^h/MyMffgffifirn 

^rX7 0 OfilEffii— f'-t'*S7°a7'5At;r^-fex 

-r^coi^z^mmm^^b x > ^ f /l ^ > b^ig^ 

^^inatt^. tfz. 7°n^'"7Affifirn-lrX8 0 0 

^fzMZ. r\J^yMzW\r) '^Xi^tlfzrnifyJ^m^\ 
^ P t * -3-1 7° n ^' 7 A ^ - k p ^ f#|, , 
[00 32] MiM^- b 3 3 0 7 Kxy K■^f-^^'- 
300^^-y^V-^l 1 Otco^S\ EIH^S^Lit-fe 
■y b h 'y 7°^- S i-)V4 0 ^o^^m/iSfilff 

m^-^itcA-y Hxy K-r-^\-3 0 0 ^ u y^'-ri. o 

[0 0 3 3] @4 (4. ^2'y^^■y7°^-5-:^;^4 0 0cD 
r-^T^^'^-V-&St-7-n>y^HT'3^l.„ -b-ybb 

-y7°^-S-^;l/4 ooii, mtll, Ti-ii-i^ 3 yt,zMm 

•ri.^r.y bb-yT^-S-^-yL- (STT ) > LT^^St-S 

hb-y7°:?-5^;l/4 0 0J4, 7°n 
■fev->f-4 1 0i3j;t;T-^IE'[^*4 2 0(7)j;3=Sr^ 
^U-. 3l€*f-b4 3 0^ffii. Il3t'ra3it>t±<7) 

i 3 ^- b ^ X r t ^«^*ffi-r-»ftt-i. o 

[00 34] H6 t:BI31LTTT-|Mt-|> X'Az.. r- 

^ia'is^g4 2 0 ii. T-^ie'^*4 2 OiT)-^^ ^lt 

g|5^H:iS'lit-|.i fc^^'t'i §xy:5?-< b;U;><y br-^ 
<-X6 0 0^ffiil., xy:?>f b;l/;'«ybT-:^'<- 

xeo o(i;li^*ixy^^ b;^^yb^^^t-■g.7°^^'■'5 

A ir\J^'y^^~k^^%lfz)sbl^Z'£^Wj:^- 



ow\-yzy^mmH<,kUi (44 0) imi&. tfz. 
m9i,zmmLxTx-Mmt^ x 3 1:. T-^'iBit^M4 

2 0(47'"n-b'7°n-fea9 0 0?r^O„ — J^fc. f^n- 
b'TP-tX9 0 014. Tn^'-^i^^-kp 

§ fL/t 7°n ^ lis iJi^ P i3 J; t^lS'li S n/i X y ^ 
^ b/l-^^ybffilgeo 0^fflV\ ^LT7°n^-5A^W 
fI-r?>/:^i6(C7°n^'-7i^^-kpS:lil^T. HS^O^xy 

b;b;><yb^^^l>Tn^-7A^»M^|,„ 
[003 5] 05(4. A^y b■xyb^f-A-3 0 0^;j; 

i^'^Av^-^J'K-XSOO&S^LTV^I,, icoffif|lt4. 

^iorn^'^ ^^'i^ J;t^'WJE-ri> 7°o 

^'"7i.iij^ij^ptttt;. mm. mmmizmimti 

7°D^'^AT-^'^-X5 0 0i4^3-b5 0 5- 

5 2 0<7)J:3^rmt^Tn-b'^ffi^-rSo ^iit^ii^ 

ti^'tim^x^rn^yMzm^-^if^ixx^^^. 7 ^ - 
fi-v 5 2 5 ^zxru^'yj^nzx-oxmm^tLi^rn 

f^'yl^mS^mzMLX . m^-yj^r-j'K-y. 5 0 0 
ii. 7 ^ b 5 3 0 i'ZX^cr)7'viyyI.ffm-tmi:' 
•f •&•'^°•y^-J>'^0^^7K^r qV^. 7 i-H b 5 3 5(,.:T^'t 

[0036] Il6(4^^ji)^xy:$^^ b^M^b^^t"!. 
ru^'yMzMLXr^^yA^-k, i^m^z^m 

xhi^~'y^J~2 0 0<D^j^^:i^t£3iy^^ b/My 

bT-^'^-X6 0 0^^LTViS„ wmitzXd^z. 
T (u) (47-bu^;k-btt- l.^?-7-7U-, t-5r^5 

% . 7- b u co^j^y y -t:i3(t I. y-7y-b24o 

-2 4 7 iZ)(tm-tirn^yM.m^^P(^-t -y b 
t.mm. iLffiS*fJ-7y-b'2 4 0--2 4 3t2 
MlBt-l. 4 oc7)rn^-^ A^gfi^|> ; fc tMLTxy 
^J'-^ b;ky ybr*-t-|>=5:^;>i4. xy^.< b;b><ybtt 
#{4. 7-b2 2 0t:>!tJtE-r-&4'PHl^-*^ib=5rS^fct 

^coij'mzm^x. mw^^^^'yi^^mmnokiii 

(44 0) {4i£i^tCjEtT. 7-b2 2 0^7)^f7'7U- 
ti3(tS#y-F2 3 0. 2 3 2. 24 0-24 3t:)^ 

[0037] ll6T*L/ixy^-< b;b;'<ybT-^< 
-7.60054. y-77-b24 0-24 3 tMJE-tl> 
m-^corviifyJ^i^m'tlAEMJ-—f-Xh^ (xy 
b;Myb;?^'$)^) . i;^v:. y-7y-b'2 4 6- 
2 4 7 tMK-ri. ~-0(7)TP^7i.S:Sfi^l>iEffl^- 
Hf-T-$>?>„ l^^-^T. xy^^ b/b^ybr-^^-x 

6 0 otcfEli$ix/sxy^^ b/b^ y b'lfffi(4. 7-b 

220ky~]^236izMlSt6^m^-t'(o'i^. J 

-b'2 2 0. 2 3 6^ii-eiit;:ML. xy^'-f b;i-;^> 
br-^'K-xe 0 0t3fail$^i;txy:5?>f b;b>tyb 
ffi|g{4^tLm4'rHl^-ffiki„tkiii^^L. 

i,iii]Wn7 7Aiisij^ pioj^TS^^t-i. . w^fm 

m.tz-Tx3 9'=/h.ov'<-y'r-'J\iz^-i\^x:^y^A b;b 



[0 0 3 8] 7°n^-7AyN°'y^— i^'y^'. 

u^'yl.<7)^ y h i^zM L/J^§ ^rx y ^ ^ b ;i y h 

ue7. 

[0 0 3 9] A°.y^r-^st;>f^-rsxy:?-^ h)V^yh 
mmi±. T (s) coy-Ht:fcv^Tffiif$fii.ct]^^- 

b S tMt-§xy y htffg&-o< I, i fc ^i-T 

SiJ^)iT^.iiii(f, xy^^ b;k;^yhfflffi{i-(r-y hb 
0 Oi7)ffil)ll5il/t-fe^^T^^ >J-tC 

[0 0 4 0] 7°n-t.x 

J: a t:. ^ •/ K X > I' ^- 3 0 0 im T i-J. 

u^xy:^^-f h)ij<yh'mmm7°r:>-tx7 0 o^mff 

tf-tit-^T^^^xy^-^ b/Myhr-^ 

A b;l/;<y hT-^<-X6 0 omiS/j'iEM^-— 'f- 
-^hhm^'^yMznLX. 7°ni?-7i.^-kp^#S 
<7)t;i£Jg^=3j:_7 ij - 2 0 0 K t:MLT . MJEE 

[0 04 1 ] i^oT, xy^-f f-;l/;^y }-'[ffgiefi7°n 
^r;^7 0 OiiiT, ffi^WXL/lTn^'-^A^iiSiJ^ 
S ( 7 1 0 ) . ^cot^t;. xy^'^ YiV^yYWkmt 
ra-feX7 0 0{47';-y-K£?)ft/h'tr-y bT (S) ^ 

^:^fy^"-•r^„ ^-^^^y h-fe>y hS(4, rjy-fedrix^ 
7'7°n^'-^ AiiSiJ^ P cOft^T AT^ly^AyVAy^- 
A;bA.t^v||§^l, (72 0) , -otorn^'^Ai^iJ 
^ P f4 . ^ ws-^ U y-b^^ 
T^7''-C-$)l>i|-^t;. 3y-fe^AX^7'i:#i.A,fL^. 
[ 0 0 4 2 ] LT. ;!?^N-T ( S ) *i#-f y 
tMLT^ott^^l^ (7 3 0) , 
it#^y^-vSVPt:j^^|,^A-T (S) (TyJ~Y\,Z 

§til> (740) , mmz^ *j3£$ix!txy^-f b;k^ 
y hffi?g*^X>y h'xy h'-9--y\'-3 0 Ot^i-^T-lr >y h 
b-y7°^-S^;t/400^fc^''i^yn-K$^I (7 5 

0 ) , 7°n^-^i.MW$*7-ri> (76 0), 
[0 0 4 3] ^-^^''y b-fe'y bStCfeftl>-f y^'-^^>^ 

m\M \ (s) tt-|>;t*^'T-iS„ nco^yy-y-K 
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-t^^-fy h-b h s &iE^i^:;^7^^'-t-|. i a ^7 u 

[i[4] 

) = -S' . |Z| (iS'h 

co^-^-t-rn^ 7 AiiM^ p toii-^ y ^-A/ni 

M-^-S^^^N'-T (S) ^tf-mt-|.;ti^(::. I^Sni?)^- 
V')-2 0 0\zmh^£\niimW\ «oT, xy^ 

>f b;t^>tybtffgEfi7°n-t:x7 0 ommmm^iii 

(S) ■ ntO^-^--t^l>» *^MA-T 
(S)^;^C#§{4. I (S) ■ niO^-^'-'-i:^!,, 

yi^~fh^tt^m^z^hruifyj^m\\l-pm\^^^ 

X t,ixh^^X'hh . -m^ziiK^X. S*W^^^°■y^- 
i^\±. f y b7>7^ ■y97.}j.i^~fh^X<Drxi^y 

[0044 ] ^ to J; 3 ^iji- b h° -y 7 ^r-i^'^oxy 

^-f b;kyybti, ^— yU-2 0 0Hfc(tl>#-fO^ 

--C'^)!.. SJt. V;^^bb°■yi?y^^y^->>■^SIJ^tfflil 
LTT-ty7>-rS;fc*^T'#l.„ xy:5?-^ b/l-^yb 
ft fgfimti. ^/Wf- b h° .y >y y-i->^,:5rSiia^ 

b t° .y 9 X tMtl. >y b Xh h . 

V\ 7-^7^ ■y^X^(cJ;^)S£S^I.^^°'y^^-i>■ii:^ 
t:^§ « 0 7V 7 ^ >y ^ 7.^ffll rni? ^ A 
S J: a >y b b -yT^- 5 -^;l'4 0 0 L-cga^ L 

[004 5] _ha;tOj;3t. ^>y bxy b^f-A-S 0 

014, ll8(C7S-t7°n^-7i^Sfi7°n-b,X8 0 OSrMf 

L . 7°n^-^AtigiJi^p ^:mv^xru^'yM.immLm 
mt?^tzi!biz^ ruy-yi.t'?:^i9-^-m^zm^'^x 
UitzT^ 9'yhmm- P tSo'V ^TTo 7 i^^- k 
p^#^» 7°n^-^AgSft7°n^2X8 0 Oii. ^^c^3S 
fiXx'yrmTli. ^77-< y=5rV^LmrBlt«t- 

flTn-feX 8 0 0(43lfrr<#7°ni/7A&ieiJ3fJ-ri. i 

t \zx-yxwmmMkm^hrxi^x^mkfh 

(810). 

[0046] -f-i^ltt:. rn^^i^lEmrn-trX 800 
(i:7°n^7AT-^<-X 5 0 0>?i*^.(7)Tn^7A('M 
JE^STn^'-^ AfiSiJ^ P D tii L ( 8 2 0 ) . 
7° n / ^ A [znm-f !> 7°n ^" 5 A ^ - k p ^ I, 

(830) , LT ro:^'- 7 A{i|fr{7)Xf -y 7X1^$ 
tl/^7°0^''7Adf-kp£ffll^TBi^'ft§^ll. (84 
0) , ;ftftt;. Tn^'^AiefiTP-feXSO 0(4. 7°n 
^'■'7AiiJ?[Ji^P 1 1 t:Hi^^k$n/-c7°n^'-7 A^3Sm 

L ( 8 5 0 ) . ru^'ymmwmth ( 8 6 o ) , 

[0047] 7°n:7-7 Aiij^lJ^ p (4, 7°n^-^ AttfgCO 
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iiV^X , rrt^'^yl^mWlTp ii:Barker^-r -?Vl/<7) J; 3 ^ 

[0 0 4 8] ±}i£/)j;at, ^:-y ^^-7 7^^-s-^;^4 

0 Oiiiagt^^L/STn-FTn^rxg 0 OSrHtf L. 
rxif^l^^~\L^i\Wz^\z%m^t\fz:i~y9A b 

hru^'^yJ^MlWi-fh , 0 9 {Z^.-fl d IZ., -f'3- F 

rn^r^9 0 0i±^jEiOf-^y^-;i/t^j.--y^'-§-it 
m^m^^comm^miz. :^%m<^}mm\^^tzr 

u'txi:mt^-t^ (9 10) . 
[0 0 4 9] ^cnmz^ -t'vhh'vr^-ii-fVAOO 
i±m^-it § ii/t 7° n 7' ^ A j; Lf^'jMft 5 i i/-^ r n ^ A 

M^i^p i^tsm^mimi^m-t^^ ( 9 2 o ) « ^r? 

-K7°n-lrX9 0 OJixy^-^ h)l:^yhr'-^<-X 

6ooi}^i^m'mtitz3iy^^ hji^yhmrnKtia, 

( 9 3 0 ) . jifiS^i3t7°a/7A&#0*^t'o^^& 
mm-t^ (940) , tt;<x-yr9 4 0tCTSfirn 

P *'ir^ s X > 1; -/;>'x y ^ y h T 
-j^K-x b 0 0 t^T fr{L L > fc S ii^Ji^. H 
§ t ( iffifK $ iifz 7° n 7 A X y ^ ^ h ;|^;>{ y 
b{±5r<. To^7AM«i*IT-r-& (980) „ 
[00 50] L*^L. i L^fi§il/i7°n^7AiSS'J^ 
P f -y h IZ^m-ttmra^'yAmi'l' P ^ 

:S-ri>xy^-f b;u^yhr-^'^-;^6 0 0t:xyb 
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I , Title ef iDTcttioii 

Method and System Foi Tiansni tt inf A Program Hanag Restricted Access 
t(i An End-iiS{f 
I. Claims 

1 ■ A method for traiumitting a program having restricted access to an end- 

user, said method comprisiag the stefM of: 

assigning a program identifier to said program, said program identifier 
having a binaiy vahie; 

defining at least one master key; 

encrypting said program using a program key, said program Icey obtained 
by applying at least one hash fimctiou to said master key baaed on a binaiy value of said 
program identifier; and 

traitgmittiog said enaypted program together with said program identifier 
to said end-user. 

2. The method according to claim 1, wherein said program identifier 

consists of « bits, and one of said hash fiinctions is applied for each of the n bit positions 
of the program identifier dependiog on the correspondii^ bit value of the program 
identifier. 

The method according to claim 1, further comprising the step of 
providing entitlement information to said end-uaers based on the set of programs 
obtained by said end-user 

4- The method according to claun 3, wherem said entitlement iiifonnation 

inchides a portion of a key tree based on the set of programs obtained by said end-user. 

5. The method according to claim 3, wherein said end-user uses said 

received program identifier to derive said program key from said stored entitlement 
mfbnnation. 

U' The method according to claim 1, wherein said program identifier is 

interleaved with the transmission of said encrypted program. 
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/. The method according to claim 1, wherein said program identifier is 

transmitted on a control channel 

g. A method for transmitting a program to a plurality of end-users, said 

method comprising the steps of: 

enctypting said prograio using a program key, said program having a 
program identifier, said program key obtained by recursively applying a hash fiinction to 
a master key based on the binaty value of each bit position of said program identifier; 
and 

transmittlDg said enctypted program and said program identifier to said 

9. The method according to claim 8, 'wherein said program identifier 
consists of n bits, and a hash flinction is applied for each of the n bit positions of the 
program ideaitifier depending on the oorrespoildiftg bit value of the program identifier. 

10. The method accordmg to claim 8, fiirther compriung the step of 
providing entitlement informaition to said end-users based on the set of programs 
obtained by said end-user 

1 1 . The method according to claim 10, wherein said entitlement information 
Inchides a portion of a key tree based on the set of programs obtained by said end-user. 

12. The method according to claim 10, wherein said end-user uses said 
received program identifier tn derive said program key ftom said stored entitlement 
iofbrmation. 

13. The method according to claim 8, wherran said program identifier is 
interleaved with the transtnis^on of said enciypted program. 

14. The method according to claim 8, wherein said program identifier is 
transmitted on a control channel. 



(17) B2 001-36517 (P2001-36517A) 



15. A method for transmitting a program associated with at least one package 
of programs to a plurality of sod-users, said method comprising the steps of 

providing entitlement information to said end-users based on the set of 
programs obtained by said end-user, 

encrypting said program using a program key, said program having a 
program identifier, said program key obtained by rscuravdy applying a hash fimction to 
a master key based on the binary value of each bit position of said program identifier; 

transmitting said prosram identifier with said eticiypted program to sdd 
end-users, said end-users deriving said program key from said stored entitlement 
information if said end-user is entitled to said program. 

16. The method according to claim 15, wherein said program identifier 
consists of n bits, and one of said hash flinctions is applied for each of the n uit positions 
of tlie program identifier depeading on the corresponding bit value of the program 
identifier. 

17. The method according to daim 1 S, wherein said en^ement information 
inchides a portion of a key tree based on the set of programs obtained by said end-user. 

18 The method according to claim IS, wherein said end-user uses said 

received program idenlifief to derive said program key fi-om said stored entitlement 

information. 

19. The iitethod according to claim 15, wherein said program identifier is 
Interleaved with the transmission of said encrypted program. 

20. The method according to claim 15, wherein said program identifier is 
transmitted on a control channel. 
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21- A method for decoding an encrypted program, said method comprising 

the steps of; 

recdving entitlement infonuiition from a provider of said program, said 
entitlement information including a portion of a key tree based on a set of programs 
obtained by said customer; 

receiving sdd encrypted program and a program identifier, said encrypted 
program enoyptod with a program key; 

deriving said program key from said program identifier and said stored 
portion of said key tree; and 

decrypting said encrypted program using said program key. 

22. The method according to claim 21, wherein said program identifier 
consists of n bits, said master key is placed at the root of said key tree and said key tree 
is generated by applying a hash function to each node, until n tree levels have been 
created. 

23. A method for decoding an encrypted program, said method comprising 



receiving entitlement information from a provider of said program, said 
enthlsment information including at least one intermediate key fi-om a key tree based on 
a set of programs obtaiiiud by said customer; 

receiving said encrypted program and a program identifier, said encrypted 
program encrypted with a program key; 

deriving said program key from said program identifier and said stored 
intermediate key by recursively applying a hash fiinction to said intermediate key based 
on the binary value uf said program identifier, and 

decrypting said encrypted program using said program key. 
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24. The method accoiding to claim 23, wherein said program identifier 
consists of n bits and said intermediate key corresponds to an intermediate node at a 
level r of said key tree, and wLerein said hash function is applied to said intennediate key 

25. A system for transmitting a program having restricted access to an end- 
user, said system comprising: 

a memory for storing a master key and computer readable code; and 

a processor operatively coupled to said memory, said processor 

configuriEd to: 

assign a program identifier to said program, said program identifier 
having a binary value; 

define at Isast one nraster key; 

encrypt said program using a program key, said program key obtained by 
applying at least one hash flinction to said master key based on a binary value of said 
program identifier; and 

transnnt said encrypted program together with said program identifier to 

said end-user. 

26. A system for transmitting a program havinn restricted access to an end- 
user, said system comprising: 

a memory for storing a master key and computer readable code; and 

a processor operatively coupled to said memory, said processor 

configured to: 



encrypt said program using a program key, said prosram having a 
program identifier, said program key obtained by recursively applying a hash function to 
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a master key based onths binaiy value of each bit position of said program identifier; 
and 

transmit said encrypted program aud sdid program identifier to said end- 

27. A system for decoding an encrypted program, said system coinprisiug: 

a memory for storing a master itey and computer readable code; and 
a processor operatively coupled to said memory, said processor 



receive entitlement information from a provider of said program, said 
entitlement information including a portion of a key tree based on a set of programs 
obtained by said customer; 

receive said encrypted program and a program identifier, said encrypted 
program encrypted with a program key; 

derive said program key from said program identifier and said stored 
portion of said key tree; and 



28. An article of manufacture comprising: 

a computer readable medium having computer readable code means 
embodied tliereoa said coniputer readable program code means comprising: 

a step to assign a program identifier to a program, said program identifier 
having a binary value; 

a step to define at least one master key; 
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a step to encrypt said program using a program key. said program key 
obtained by applying at least one hash fijnction to said master key based on a binary 
value of said progracp identifier, and 

a step to transmit said encrypted program together with said program 
identifier to said end-user. 



29 An article of manu&cture comprising: 

a computer readable medium having computer readable cods means 
embodied thereon, said computer readable program code means comprising: 

a step to receive entitlement information from a provider of a program, 
said entitlement information including a portion of a key tree based on a set of programs 
obtained by said customer; 

a step to receive said encrypted program and a program identifier, said 
enci'ypted program encrypted with a program key; 

a step to derive said program key from said program identifier and said 
stored portion of said key treej and 

a step to deciypt said encrypted program using said program key. 



3. 



Detailtd DetcriptiDi ti InrtntioQ 
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F i dJ of the . I nv ention 

The present invention relates generally to a system for restricting access to 
transmitted prcgramming content, and more particularly, to a system for transmitting an 
encrypted program together with a program identifier which is used fay a set-top 
terminal, together with stored entitlement information, to derive the decryption key 
necessary to decrypt the program. 



As the number of channels available to television \wneTS has increased, alorg 
with the diversity of the programming content available on such channels, it has become 
increasingly challenging for service providers, such as cable television operators and 
digital satellite service operators, to offer packages of channels and programs that satisfy 
the majority of the telsvision viewing populalioii. The development of packages that 
may be offered to customers is generally a marfceting fiinction. Generally, a service 
provider desires to offier packages of various siwa, from a single program to ail the 
programs, and various combinations in between. 

The service provider typically broadcasts the television programs from a 
transmittBr, often refeiTed to as the "head-end," to a large population of customers. 
Each customer is typically entitled only to a subset of the received programmiag, 
associated with purchased packages. In a wirdesa broadcast environment, for example, 
the transmitted programming can be received by anyone with an appropriate receiver, 
such as an antenna or a ssitellite dish. Thus^ in order to restrict access to a transmitted 
program to authorized custoniers.^ho have purchased the required package, the service 
provider typically encrypts the transmitted programs and provides the customer with a 
set-top terminal (STT) containing one at more decryption keys which may be utilized to 
deciypt programs that a customer is entitled to. In this manner, the set-top terminal 
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receives encrypted transmissions and decrypts the progcams that the customer is entitled 
to, hut nothing else. 

In order to minimias piracy of the highly sensitive information stored in the set- 
top terminals, including the stored decryption keys, the set-top terminals typically 
contain a secure processor and secure memory, typically having a capacity on the order 
of a few kilobits, to store the deuyption keys. The secure memory is generally non- 
volatile, and tamper-resistant In addition, tiie secure tnanoiy is preferably writable, so 
that the keys may be reprogrammed a« desired, for example, for each billing period. The 
limited secure mcmoiy capacity of conventional set-top terminals limits the number of 
keys that may be stoied and thereby limits the number of packages which may be ofi^ed 
by a service providei It is noted that the number of programs typically broadcast by a 
service provider during a monthly billing period can be on the order of 200,000, 

Li one variation, conventional set-top terminals contain a bit vector havittg a bit 
entry corresponding to each package of programs ofifered by the service provider. If a 
particular customer is entitled to a package, the corresponding bit entry in the bit vector 
stored m the set-top terminal is set to one ("1"). Thereafter, all programs transmitted by 
the service provider are encrypted with a sii^le key. Upon receipt of a given program, 
the set-top temuiial accesses the bit vector to determine if the corresponding bit entry 
has beffii set. If the bit eutiy has been set, the set-top terminal utilities a single stored 
decryption key to decrypt the prt^ram. While, in theory, flexibility is achieved in the bit 
vector scheme by providing a bit entry for each package (a pack^e generally consists of 
one programX the length of the bit vector would be impractical in a system transmitting 
many programs in a smgle billing period. In addition, access control in such a system is 
provided exclusively fay the entries in the bit vector and is not cryptographic. Thus, if a 
customer is able to overwrite the bit vector, and set all bits to one ("I"), then the 
customer obtains access to all programs. 

In a further variation, programs are divided into packages, and all programs in a 
given package are encrypted uung the same key. Again, each package typically 
corresponds to one television channel. The set-top terminal stores a decryption key for 
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each package the customer is entitled to. Thus, if a program is to be included in a 
plurality of packages, then the program must be retFansmitted for each associated 
package, with each transmission encrypted with the encryption key correspondiiig to the 
paiticutar package. Although the access control is cryptographic, the ovecfaead 
associated with retransmittii^ a given program a mimber of times discourages service 
providers from placing the same program in a number of packages and thereby limits 
flexibility in designing packages of programs. 

WhQe such previous systems for encrypting and transmitting programming 
contetit have been rdatively successful in restiicting access to authorized customers, they 
do not permit a service provider, such as a tdevijion network, to ofier many different 
packages containiqg various numbers of programs to customers, without exceeding the 
lunited secure memory capacity of the set-top terminal or aignificantly increasing the 
oveihead. United Sutes Patent Application Serial Number OS/912,186, filed August 15, 
1997 and assigned to the assignee of the present invention, hei diiafter referred to as the 
"Vspace System," discloses a cryptographic method and apparatus for restricting access 
to transmitted programmu^ content. 

Each program in the Vspace System is enciypted by the head-end server prior to 
transmission, using a program key, Kp. Each of the piogram keys is a linear combination 
of a defined set of master keys, M. A program identifier identifying the program is 
transmitted with tha encrypted programming content. The Customer's set-top terminal 
can derive the decryption key from only the recaved program identifier, p, and 
previously stoired entitiemEnt information. The Vspace System provides a cryptographic 
access control mechanism, while permitting flexible packages (since the program does 
not need to be retransmitted fbr each associated package) without significantly extending 
the program header (only the program identifier is transmittsd with the program). 



Generally, encrypted programming content is transmittsd by a service provider 
using a transmitter, or head-end server, to one or more customers. According to one 
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aspect of the inventioii, a program identifier, p, used to identify tlie program is 
transmitted to the customer with the programming content. Each customer im a set-top 
terminal or another mechanism to restrict access to the transmitted multinwdia 
information using dectyption keys. The set-top terminal receives entitlement 
information fiom the head-end, corresponding to one or more packages of programs that 
the customer is entitled to for a given period. 

Hach program is encrypted by the head-end serra- prior to transmission, using a 
program key, K.p, which may be unique to the program. In addition to transmitting the 
encrypted piogrwn, the head-enu server transmits the program identifier, p, to the set- 
top teiminal. The set-top terminal uses the received program identifier, p, together with 
the stored emtitlemeut information, to derive the decryption key necessary to decrypt the 
prosram. In this manner, if a customer is entitled to a particular program, the set-top 
terminal will be able to derive the euciypted program key, I^, using the stored and 
rec«ved information, and thareafter use the program key. Kr. to decrypt the encrypted 
progiaia In various embodiments^ the program identifier, p, can be interleaved with the 
program portion or transmitted on a separate dedicated control channd. 

According to one aspect of the invention, each of the i-bit program keys, Kr, 
used to enciypt transmitted progrmis is obtained by app^ one or more pseudo- 
random hash fijnctioas, H, to a master key, m. In one implementation, a length-doubling 
hash function, H, is utilized. Thus, tlie hash function, H, takes a A-bit binary value and 
produces a binaiy value having a le^gth of 2k. The output of the hash fimction, H, can 
be represented as a pair of i^bit binaiy vahies, Ho and H|, where Ho is referred to as the 
left half of the output of the hash function, and Hi is the tight half of the output of the 
hash fimctiun. 

Li an illustrative implementation, a program key, Kp, is obtained by recursively 
applying a hash fiincdon. Ho or H,, to the master key, m, dependii^ on the 
corresponding binaiy value of each bit positim of the pre^ram identifier, p. Thus, if the 
program identifier, p, consists of » bits, one of the hash fimctions, Hp or H,, is applied 
for each of the n bit positions of the program identifier, p, depending on the 
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corresponding bit value of the pn^ram identifier, p. Iiiitially, one of the hash fiuictions. 
Ho or Hi, is applied to the master key, m, depentUng on the binary value of the most 
significant bit of the program identifier, p. Thereafter, for each of the remaining (n-l) bit 
positions, one of the hash fuuctions. Ho or Hi, is applied to the result of the previous 
hash operation, depending on the binary value of the coiiesponding bit The calculation 
of the program key, can be represented as Mows: 

K,=H^{,...H^{H^{m))...). 

The hash operation can be represented in terms of an n-level binary tree, T, 
referred to as the key tree, with the master key, m, placed at the root of the tree. The 
tree is generated by applying the hash functions Ho and Hi to each node, until the desired 
number of tree levels (n) have been created. The program keys, K,, correspond to the 
leaf nodes at the bottom level of the tree. The binary index (and likewise the program 
ideiitifiers, p) associated with each prosram key, Kp, corresponds to the path through the 
key tree from the root to the desired leaf node. t]m, the indfflt or labd of a given node, 
u, is the concatenation of the labels on the edges on the path from the root to the node a. 
T(u) denotes the subtree rooted at node «, or the set of program identifiers, p, 
corresponding to the leaves in the subtree of node u. For an internal uode, m, at depth r 
in the key tree, with a partial program identifier, p, (u,, , , u,), the keys of any program 
ill the subtree T(u) can be computed by activating the hash fiinction n - r times. 

A more complete understanding of the present invention, as well as fijrther 
features and advantages of the present invention, will be obtained by reference to the 
Mowing detailed description and drawings. 

Brief Dweriii tion of the Drawings 

FIG. 1 is a schematic block diagram tlhistrating a system for transmitting 
encrypted programmiog content in accordance with one embodiment of the present 
invention; 
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FIG. 2 is a conceptual rspresentation of an exen^iaiy key tree in accorduce 
with the present inventiQii; 

FIG. 3 is a schematic block diagram of an esunplary head-end server of FIG. 1; 

FIG. 4 is a schematic block diagram of an exemplary set-top tenninal of FIG. I; 

FIG. 5 illustrates a sample table from the program database of FIG. 3; 

FIG. 6 illustrates a sample table &om the entitleineot database of FIG. 4; 

FIG. 7 is a flow chart desciibins an exemplary entitlement informatioti 
distribution process as implemented by tlie head-end server of FIG. 3; 

FIG. 8 is a flowchart describing an exemplary program distribution process as 
implemented by the head end server of FIG. 3; and 

FIG. 9 is a flowchait describing an exemplary decode process as implemented by 
the set-top terminal of FIG. 4. 



FIG. 1 shows an ilhistrative network enviranmBut for transierring encrypted 
multimedia information, such as video, audio and date, from a service provider using a 
transmitter, such as a head-eud ssrver 300, discussed fiirther below in eonjunction with 
FIG. 3, to one or more ojstomers having set-top terminals 400-401, such as the set-top 
terminal 400, discussetl fiirther below in conjunction with FIG. 4, over one or more 
distribution networks 1 10. As used herein, a set-top terminal inckdes any mechanism to 
restrict access to the transmitted multimedia information using decryption keys, 
including, for example, a computer configuration or a telecommunications device. It is 
possible for software executed by ths set-top terminal to be downloaded by the service 
provider The distribution network 110 can be a wireless broadcast network for 
distribution of programming content, such as a digital satellite service ("DSS™"), or a 
conventional vnred network, such as the cable telension network ("CATV), the Public 
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Switched Telephone Network {"PSTN"), an optical network, a broadband integrated 
services digital network ("ISDl^r) or the Internet. 

According to a Feature of the present invention, the set-top terminal 400 
imeminently receives entitlement infommtion from the head-end server 300, which 
permits a customer to access programs that the customer is entitled to for a given time 
interval, such as a hiUine period. As used herein, a paclcage is a predefined set of 
programs, and a given program can belong to one or more packages. A propam is any 
continuous multimedia transmission of a paidcuiar len^h, such as a television episode or 
a movie. The entitlement information can be downloaded from tiie head-end server 300 
to the set-top tetminal 'WO usiiig any suitably secure urn-directional or ui-directional 
protocol, as would be apparent to a person of ordinary skill. 

PROGRAM KEYS AND PROGRAM IDENTIFIERS 

As discussed fiirther below, each transmitted program is encrypted by the head- 
end server 300 using a program key, K?, which may be unique to the program. For a 
detailed discussiun of suitable encryption and security techniques, see B, Scfaneier, 
Applied Cryptography (2d ed. 1997), incorporated by reference herein. In addition to 
transmittiitg the encrypted program, the head-end server 300 also transmits an n-bit 
program iuMitifier, p, to the set-top terminals 400, which may be utilized by the set-top 
tenninal 400, together whh stored entitlement information, to derive the decryption key 
necessary to decrypt the prosram, in a manner described fiirtber below. As discussed 
below in a section entitled .\SSIGNING PROGRAM IDENTIFIERS TO PROGRAMS, 
the program identifiers, p, are not chosen arbitraiily. In one prefeiTcd embodiment, the 
program identifier, p, consists of a thirty-two (32) bit value that may bs transmitted, for 
eicample, in the ECM field defined in the MPEG-2 standard. In this manner, if a 
customer is entitled to a particular program, the set-top terminal 400 will be able to 
derive the program key, Kp, from stored and recdved infomiation, and tliereafter use the 
program key, Kp, to deciypt the encrypted program. 
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According to a fUrther feature of the present invention, each of the k-bit program 
keys, Kp, used to snciypt transmitted programs is ohUaned by applying one or more 
pseudo-random hash functions to a master key, m. For a detailed discussion of suit^le 
pseudo-random hash functions, sec, fbr example, O. tJoldreich et al., "How to Construct 
Random Functions," J. ACM, 33 792-807 (1986), incoipwated by reference herein. 

In one implementation, a OTtograptucally-secure, length doubliiig, hash fimction 
is utilized, as fijJlows: 

where, A is the length of tlie program key, Kp. Thus, the hash function, H, takes a A-bh 
binaiy vahie and produces a binary value iia\iiig a length of 2k. The output of the hash 
fijnction, H, can be rq)resanted as a pair of i-bit binary values. Ho and Hi, where Ho is 
referred to as the left half of the output of the hash function, H (most significant bits), 
and Hi is the right half of the output of the hash function, H (most significant bits). Hu 
and Hi can be said to be separate hash functions. In one illustrative implementation, 
when k equals 160, H could be defined by using the secret hash standard, SHA-1, as 
defined in Secure Hash Standard, National Institute of Standards and Techuology, NIST 
FIPS PUB lSO-1, U.S. Dept. of Commense (April, 1995), incorporated by reference 
herein. In other words, Ho equals SHA-1 (;i^|0), and Hi equals SH.V1 (xflX where 0 and 
1 are all-zero and all-one bit striiigs. respectively. 

According to a fUrther feature of the present invention, a program key, Kp, is 
obtained by recursively applying one or more hash fiinctions to the master key, m, 
depending on the binaiy vahie of the program identifier, p. In one implementation, the 
program key, K,, is obtained by recursively applying one of the hash fiinctions, Ho or Hi, 
to the master key, m, depending on the binaiy vahie of each bit position of the program 
identifier, p. Generally, if the program identifier, p, consists of n bits, one of the hash 
fiinctions. Ho or Hi, is apphsd fbr each of the n hit positions of the program identifier, p, 
(starting with the most significant bit) depending on the corresponding bh vahie of the 
program identifier, p. Initially, one of the hash functions. Ho or H|, is applied to the 
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master key, m. depending on the binary value of the most sigmficant bit. Thereafter, for 
each of the remaining (n-l) bit positions, one of the hash fiinctions. Ho or Hi, is applied 
to the result of the previous hash operation, depending on the Innaiy value of the 
corresponding Int As discussed below in a section entitled THE KEY TREE, the hash 
operation can be represented as follows: 

a:, =//^(./f^(J/„ («)),..). 

As previously indicated, the head-end server 300 will truismit the program 
idendtier, p, with the encrypted program. Thus, giveii the program identifier, p, the set- 
top temiinal 400 must obtain the program key, Kf, used to decrypt the received 
program. As previously indicated, the prosram key, Kp, is obtained by recursively 
applyiiig one or more hash fiinctions to a master key, m, depending on the binary value 
of the program identifier, p. The program keys, must be obtained by the customer's 
set-top terminal 400 indirectly using the stored entitlement infbnoation, discussed below, 
and the received program identifier, p. 

THE KEY TREE 

As previously indicated, a program key, is obtained by recursively applying 
one or mors hash functiaDs, H, to a master key, m, depending on the binary value of the 
proojram identifier, p. A single t-bit master k^, m, is utilized. The bits of the pTogram 
identifier, p, are denoted by p = (pi,...,p,0> where p, is the most sisnificant bit and p^, is 
the least significant bit. According to a feature of the present invention, the encryption 
key, for a program with a program tuentifier, p, is deSnad as fbllows: 

The iiash operation can also be repiescmed in terms of a M »4evel binary tree 
T, referred to as the key tree 200, shown in FIG. 2. Tlie illustrative key tree 200, shown 
in FIG. 2, corresponds to an implementation having program identifiers, p, consisting of 
three bits. As shown in HG. the master key, m, is placed at the root 210 of the tree 
200. The program keys, K,, cwrespond to the leaf nodes, such as the leaf nodes 240- 
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247. Tue index assod^ted whfa each program key, K,, shown in FIG. 2, sucb as the 
index 01 1 associated with the program key, Kp, of the leaf node 243, indicates tlw path 
through the key tree 200 from the root 210 to the leaf node 243. For example, the 
program key, Kp, of the leaf node 243 is obtained by following a left edge (Hg) from the 
root 210, a right edge (Hi) from the node 220 and a right edge (H,) from the node 232. 
In other words, Ilg is initially applied to the master key, ni, then H| is applied to a first 
hash result, and Hi is again appUed to the second hash result The resulting vahie is the 
program key, K^u. 

Thus, the label of a given node, u, such as the node 243, is the concatenation of 
the labels on the edges on the path from the root 210 to the node u. The label of each 
node can be identified with the prDgram identifiers, p. T(u) is utilized to denote the 
subtree rooted at node «, or cquivalently, to denote the set of program identifiers, jj, 
corresponding to the leaves in the subtree of node u. For an internal nods, h, at depth r 
in the key tree 200, with a |)artial program identifier, p, (ui,,.., u,), the keys of any 
program in tlie subtree T(u) can be computed. The key of any program in the subtree of 
node u is computed by activating the hash fiinction n - r times. Specifically, the 
appropriate hash fimction, Elo or Hi, is utilized as directed by the value of each of the n - 
r low order bits of the program identifier, p. Thus, the program key, Kp, corresponding 
to a node u can serve as an entitlement for all programs in the subtree of node u. 

If the function H is a pseudo-random generator, then the mapping of the program 
keys, K, {0,1}" -* {0,1 }^ parameterized by the master key, m, is a pseudo-random 
fiinctiiHi. See, for example, O. Goldreich et al., "How to Construct Random Functions," 
J. ACM, 33:7()2-807 (1986), incorporated by reference above. 

SYSTEM COMPONENTS 

FIG. 3 is a Wock diagram showing the architecture of an illustrative head-end 
server 300. The head end may be associated with a television network, a cable operator, 
a distal satellite service operator, or any service provider transmitting encrypted 
programming content. The head-end server 300 may be embodied, for example, as an 
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R5 6000 server, manufactured by fflM Corp., as modified herein to execute the 
functions and operatioiis of the present invention. The head-end server 300 inchides a 
processor 310 and relatsd memory, such as a data storage device 320. The processor 
310 may be embodied as a single processor, or a number of processors operating in 
parallel. The data storage device 320 and/or a read only memory (ROM) are operable to 
store one or more instructions, which the processor 3 10 is operable to retrieve, interpret 

As discussed above, the data storage device 320 includes a master key database 
350 for storing the master key, m. The master key, m, may be updated, for example, 
ODCC per billing period. la addition, as discussed further below in conjunction with FIG. 
5, the data storage device 320 includes a program database SOO. The program database 
500 incticates the pn^ram identifier, p, and associated packages corresponding to each 
program. In addition, as discussed further below in conjunction with FIGS. 7 AND 8, 
ths data storage device 320 utdudes on eatitlenient information distribution process 700 
and a program distribution pnxeas 800. Generally, the entitlement information 
distribution process 700 generates and distributes the entitlement information required by 
each customer to access entitled programs. In addition, the program distribution process 
800 derives the program key, Kp, based on the program identifier, p, assigned to the 
program in order to encrypt and transmit the program with the program identifier, p. 

Tiie communications port 330 connects the head-end server 300 to the 
distribution network 110, thereby linking the hcad-snd server 300 to each connected 
receiver, such as the set-top terminal 400 shown in FIG. 1. 

FIG. 4 is a block diagram showii^g the architecture of an illustrative set-top 
tsiminal 400. The set-top teiminal 400 may be embodied, for example, as a set-top 
terminal (STf) associated with a television, such as those commercially available from 
General Instruments Corp., as modified heran to execute the functions and operations of 
the present invention. The set-top terminal 400 indudes a processor 410 and related 
memory, such as a data storage device 420, as wdl as a oomiminication port 430, which 
operate in a similar manner to the hardware described above in conjunction with FIG. 3. 
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As discussed fiuther below in conjuncdon with FIG. 6, tbe data storage device 
470 includes an entitlement database 600 that may be storsd in a secure portion of the 
data storage device 420. The entitlement database 600 includes those portions of the 
key tree 200 tJiat are necessary to derive the program keys, Kp, for the programs to 
which the customer is endtled. In addition, the data storage device 420 includes the hash 
functions, IIo and Hi, 440. In additiaD, as discussed flirther below iii conjunction with 
FIG. 9, the data storage device 420 inchides a decode piocess 900. Generally, the 
decode process 900 deciypts programs that a customer is entitled to, by using the 
received program identifier, p, and the stored entitlement information 600 to deiive the 
program key, Kp, and then using the program key, Kr, to decrypt the program. 

FIG. S illustrates an exemplary program database 500 that stores information on 
each program, p, wMcb will be transmitted by the head-end server 300, for example, 
during a given billing period, including the packages the program belongs to and the 
corresponding program identifier, p. The program database SOO maintains a plurality of 
records, such as records 50S-S20, each associated with a different program. For each 
program identified by program name in field 525, the program database SOO inchides an 
indicaticHi of the coiresponding packages to which the program belongs in field 530 and 
the corresponding program identifier, p, in field 535. 

FIG. 6 illustrates an exemplary entitlement database 600 that inchides those 
portions of the key tree 200 that are necessary to derive the program keys, Kp, for the 
pro-ams to which the customer is entitled. As previously indicated, Tfu) is utilized to 
denote the subtree rooted at a node u. or cquivalently. to denote the set of program 
identifiers, p, corresponding to the leaf nod« 240-247 in die subtree of node u. For 
example, if a customer is entitled to receive ths four programs corresponding to the leaf 
nodes 240-243, the entitlement infbrmatioii vrould consist of the intermediate key 
associated with node 270. In this manner, the appropriate bash fiincttons, Ha and Hi, 
440 can be used to derive the program keys, K,, for eacii node 230, 232, 240-243 in the 
subtree of node 220, as nccessaiy. 
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The exemplaiy entitlement database 600 shown in FIG. 6 cotiesponds to a 
customei tbat is entitled to receive the four programs corresponding to the leaf nodes 
240-243, as well as trie two programs corresponding to the leaf nodes 246-247, Thus, 
the entitlement iiibrmatLon recorded in the entitlenient database GOO consists of the 
intermediate keys associated with node 220 and node 236. For each node 220 and 236, 
the entitlement information recorded in the entitlement database 600 includes the 
intermediate key vahie, Kij and Ki,;, respectively, and an indication of the corresponding 
partial program identifier, p. The manner in which the entitlement information 600 is 
generated by the entitlement information distribution process 700 based on packages of 
progranu selected by a customer is discussed below in coojunctian with FIG 7. 

PROGRAM PACKAGING 

Small entitlements can be established for many sets of programs of vaiying size, 
using the tree scheme of the present invention. A target set, S, is established using the 
collection of programs to be packaged. A minimal set of tree nodes is obtained whose 
subtrees precisely cover the target set, S, as follows: 

T(S) = Z c 7" such that y /'(«) =S,cmd\Z\a minimal , 

The entitlement information for the package, S, is the set of intermediate keys, 
Ki, held at the nodes of T(S). As indicated above, this set of keys allows the set-top 
terminal 400 to decrypt exactly the programs in S but nothing else. It is noted tbat, in 
principle^ the tree scheme of the present invention can create endtlement information for 
any artritraiy target set, S. It is fiirther noted, however, that if die program identifiers, p, 
are assigned arbitrarily then the entttlemeat iiifbrmation may become prohibitively large 
for the limited secure memory of the set-top terminals 400. 

PROCESSES 

As discussed above, the head-end server 300 executes an entitlemeiu information 
distribution process 700, shown in FIG. 7, to generate and distribute the entitlement 
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infbrmBtioii 600 required by each customer to scchs entitled programs As previously 
indicated, the entitlement infonnation 600 consists of the intermediate key value, Ki, and 
an indication of the corresponding piutial pro-am identifier, p, for each node of the key 
tree 200 that is necessary to derive the program keys, Kp, for the programs to which the 
customer is entitled. 

Thus, the entitlement infiwmation distribution process 700 initially identifies the 
programs selected by the customer during step 710. Thereafter, the entitlement 
infonnation distrilnition process 700 finds a minimal set of tree nodes, T{S), whose 
subtrees precisely cover the target set, S. The target set, S, is decomposed during step 
720 into maximal di^oint intervals of consecutive program identifiers, p. It is noted thai 
two program identifiers, p, are considered consecutive if the integers corresponding to 
the binary representations are consecutive. A cover, T{S), is then found for each interval 
during step 730. The set of intermediate keys, Ki, and correspondiitg partial program 
identifiers, p, held at the nodes of the cover, T(S}, for each interval are generated duritig 
step 740. Finally, the generated entitlement information is downloaded by the head-end 
server 300 to the set-top terminal 400 during step 750, before program control 
terminates during step 760, 

The number of intervals in the target set, S, is referred to as I(S). To compute a 
cover. T(S), for a single intei val of program identifiers, p, on the order of n tree nodes 
must be visited in a key tree 200 of depth n. Thus, the time complexity of the 
entitlement infonnatioa distribution process 700 is on the order of I(S)'n. Likewise, the 
ai^e of the minimal cover. T(S), Is on the order of I(S)n. Programs with related content 
should be assigned program identifiers, p, that allow them to be packaged e£Sciently. In 
one implemeatation, bade packages are of the fbim all program identifiers, p, with a bit 
prefix ]i. An entitlement for such a angle-topic package is a single key in the key tree 
300. Moreover, multi-topic packages can be assembled with no aide-effects. The 
entitlement information is simply the set of keys for the individual topics that comprise 
the multi-topic package. In accordance with the present invention, a package defined by 
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a preSx \i does not allow the set-top tenninal 400 to deciypt prognnu with a 0 prefix of 
the same length. 

As discussed above, the hsad-end server 300 executes a program distribution 
process 800, shown in FIG. 8, to derive the program key, Kp, based on the program 
identifier, p, assigned to the program and the master key, tn, in order to enciypt and 
transmit the prograiu with the program identifier, p. It is noted that the program 
distribution process 800, other tiian the actual transmission step, can be executed offline 
or in real-time. As illustrated in FIG. 8, the program distribution process 800 begins the 
processes embodying the principles of the present invention during step 810 by 
identifying a program to be transmitted. 

Thereafter, the program distribution process 800 retrieves the program identifier, 
p. corresponding to the program firnn the pn^ram database 500, during step 820, and 
then calculates the program key, Kp, corresponding to the program during step 830. The 
program will then be encr>^ted duiitig step 840 with the program key, Kp, calculated 
during the previous step. Finally, the program distribution process 800 will transmit the 
encrypted program together with the program identifier, p, during st^ 850, before 
program control tenninates during step iOO. It is noted diat the program identifier, p, 
can be transmitted periodically interieaved throughout the transmission of the program 
information, so that a customer can change channels during a program and be able to 
derive the program key, Kp, which is required to decrypt the program. In an alternate 
embodiment, the program identilier, p, can be continuously transmitted on a separate 
control channel, such as a Barker channel. 

As discussed abovs, the set-top terminal 400 executes a decode process 900, 
shown in FIG, 9, to decrypt programs that a customer is entitled to, by using the 
received program identifier, p, and the stored entitlement information 600 to derive the 
program key, Kp, and then using the program key, Kp, to decrypt the program. As 
illustrated in FIG. 9, the decode process 900 begins the processes embodying the 
principles of the present invention during step 910, upon receipt of a customer 
instiuction to tune to a particular channel. 
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Thereafter, the set-top terminal 400 will receive the appropriate signal during 
step 920, inchiding the encrypted program and the transmitted program identifier, p. 
The decode process 900 then retrieves the stored entitlement information from the 
entitlement database 600 during step 930. A test is performed during step 940 to 
determine if with the transmitted program. If it is determined during step 940 that an 
eutiy does not STdst in the entitletnent database 600 having a partial program identifier, p, 
that matches the most significant bits of the received program identifier, p, then the 
customer is not entitled to the selected pro-am and program control terminates during 
step 980. 

Ti, however, an entry does exist in the entitlement database 600 having a partial 
program identifier, p, that matches the most significant bits of the received prograin 
identifier, p, then the customer is entitled to the selected program. Thus, the program 
key, Kp, is then calculated during step 960 using the intwmediate key, Ki, retrieved from 
the entry of the entitlement database 600. Specifically, the program Icey, is computed 
by activating tiie appropriate hash fimctian, Ho or Hi, as directed by the value of each of 
the n - r low order bits of the program identifier, p, as follovirs: 

AT, =/r^C.,tf^(ff„(/:, ))...). 

Finally, the program is deciypted using the derived program key, Kp, during step 
970, before program control terminates during step 980 It is noted that if the received 
program is not part of the customer's entitlement, then there is no entitlement 
information in the entitlement database 600 having a partial program identifier, p, that 
matches the low urder bits of the program identifier, p, received with the transmitted 
projjram. 

It is further noted that the decode process 900 can wait for the customer to 
request a particular channel before attempting to derive the decryption keys and 
determine whether the customer is entitled to the requested channel, as described above, 
or the decode process 900 can ahematively periodically scan all channels to obtain the 
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transmitted program identifiers, p, in order to derive the decryption l^eys for storage in 
the data storage device 420 and predstermine the customer's entitlement. 

SUITABLE IIASH FUNCTIONS 

As previously indicated, if the hash fiinction, H, is a pseudo-random bit generator, 
then the mapping of p -» Kp is provably a pseudo-random fiinction. Thus, if the actual 
hash function, H, is cryptographically strong, then the encryption keys would be 
unpredictable. Accordingly, if a pirate only has access to the encrypted program 
broadcast, the knowledge that the keys were generated using the tree scheme of the 
present invention does not seem to hdp in hreakins the encryption. Therefbre, 
essentially the only concern is to ensure that the video encryption algorithm can 
withstand known plaintext attacks. 

The hash fiinction, H, should possess two properties. First, it must be hard to 
compute the input x given half of the image Ha(x) or Hi(x) for the hash fiinction, H. 
This certainly holds for any ciyptographic ha^ 11, which is hand to invert even when 
both halves of the image are known. In addition, it must be hard to compute Ho(x) even 
when Hi{x) is known, and vice versa. In principle, it may be easier to complete a missing 
half-key when the other half is known, even if the fimction H is hard to invert. If this is 
the case, then a pirate v^o knows the program key, K, for a node u may be able to 
compute the key to a sibling node; v, and then to all the programs in the subtree of node 

One advantage of the tree scheme m a>jcordance with the present invention is that 
it makes merging pirated entidements inefScient. Consider a pair of sibling programs, pi 
and P2, and their parent node, u. Suppose that the pirate knows the program key, Kp, 
corresponding to both iirograms, pi and p2, which are the two halves of H(Kp(u)). The 
pirate still cannot invert H and compute Kp(u) since II is a cryptographic hash function. 
Thus, the merged pirated entitlements would have to contain both Kp(pi) and Kp([)2), 
rather than mors compact Kp{u). Thus, breaking into multiple set-top terminals 400 with 

18 BIsichenbacher 1-S 
cheap (but different) entitlements is not a good strategy for the pirate, since the 
combined entitlement will be very large. 

As previously indicated, suitabis pseudo-random hash fiinctions are discussed, for 
example, in O. GoUreich et al., "How to Construct Random Functions," J. ACM, 
3 3 : 792-807 ( 1986), incorporatBd by reference above. 

It is to be understood that the embodiments and varialJons shown and described 
herein are merely iUustiative of the pdnciptes of this invention and that various 
modifications may be implemented by those skilled in the art without departing from the 
scope and spirit of the invention. 
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A system for restricting access to transmitted programming content is 
disclosed, which transmits a program identifier with the encrypted programming content. 
A set-top terminal or similar mechanism restricts access to the transmitted tnultimedia 
information using stored decryption keys. The set-top terminal receives entitlement 
information periodically firom the head-end, corresponding to one or more packages of 
programs that the customer is entitled to for a given period. Each program is encrypted 
by the head-end server piior to transmission, using a program key, Kp, which may be 
unique to the program. The set-top termina] uses the received program identifier, p, 
together with the stored entitlement information, to derive the dscryption key necessary 
to decrypt the program. Each of the A-bit program keys, Kp, used to encrypt transmitted 
programs is obtained by applying one or more pseudo-random hash fiinctions, II, such as 
a length-doubUng hash fimction, H, to a master key, m. The illustrative hash (unction, H, 
takes a ^-bit binary value and produces a binary value having a length of 2k, with lit 
being the left half of the output of the hash function, and Hi being the right half of the 
output of the hash function. A program key, Kp, is obtained by recursively applying a 
hash function. Ho or Hi, to the master key, m, depending on the corresponding binaiy 
vahie of each bit position of the program identifier, p. The hash operatioa is represented 
in terms of an n-levd binaiy tree, T, referred to as the key tree, with the master key, m, 
placed at the root of the tree. The tree is generated by applying the ha.sh fimctions Ho 
and Hi to each node, until the desired number of tree levels (n) have been created. The 
proRram keys, K,, correspond to the leaf nodes at the bottom level of the tree. The 
program identifier, p, associated with each program key, K„ corresponds to the path 
through the key tree firom the root to the desired leaf node. 
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PROBLEM TO BE SOLVED: To provide a system to limit access to 
contents of transmission program such as television program. 
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provider to transmit encrypted programming contents to one or a 
plurality of customers. A program identifier (p) used to identify a 
program is transmitted to the customers together with programming 
contents. Each customer uses a set- top terminal or an interpretation 
key to provide a limited access to transmission multimedia 
information as other device. The set- top terminal 400 or the like 
receives entitlement information corresponding to a package of one or 
a plurality of programs that can normally be received for a period 
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CLAIMS 



[Claim(s)] 

[Claim 1] The step which assigns the program identifier which is the approach of transmitting the program 
which can carry out access restriction to an end user, and has (A) binary value to said program, (B) The step 
which enciphers said program by using the step which defines at least one master key, and the program key 
obtained by applying at least one Hash Ftmction to said master key based on the binary value of the (C) 
aforementioned program identifier, (D) Approach characterized by having the step which sends said 
enciphered program to said end user with said program identifier. 

[Claim 2] Said program identifier is an approach according to claim 1 characterized by applying one of said 
the Hash Funcfions to each location of n bits of said program identifier according to the bit value to which it 
becomes from n bits and said program identifier corresponds. 

(Claim 3] (E) The approach according to claim 1 characterized by having further the step which provides 
said end user with entitlement information based on the set of the program acquired by said erid user. 
[Claim 4] The approach according to claim 3 characterized by including some key trees based on the set of 
the program acquired by said end user in said entitlement information. 

[Claim 5] Said end user is an approach according to claim 3 characterized by using said program identifier 
in order to obtain said program key from said memorized entitiement information. 
[Claim 6] Said program identifier is an approach according to claim 1 characterized by interleaving with 
transmission of said encryption program. 

[Claim 7] Said program identifier is an approach according to claim 1 characterized by being transmitted on 
a control channel. 

[Claim 8] The approach characterized by to have the step enciphered using the program key which is the 
approach of transmitting a program to two or more end users, and was obtained by applying a Hash 
Function to the master key based on the binary value of each bit position of said program identifier for the 
program which has (A) program identifier recurrently, and the step which transmits the program which 
carried out (B) encryption, and said program identifier to said end user. 

[Claim 9] Said program identifier is an approach according to claim 8 characterized by applying said Hash 
Function to each location of n bits of said program identifier according to the bit value to which it becomes 
from n bits and said program identifier corresponds. 

[Claim 10] (C) The approach according to claim 8 characterized by having further the step which provides 
said end user with entitlement information based on the set of the program acquired by said end user. 
[Claim 11] The approach according to claim 10 characterized by including some key trees based on the set of 
the program acquired by said end user in said entitlement information. 

[Claim 12] Said end user is an approach according to claim 10 characterized by using said program identifier 
in order to obtain said program key from said memorized entitlement information. 
[Claim 13] Said program identifier is an approach according to claim 8 characterized by interleaving with 
transmission of said encryption program. 



[Claim 14] Said prograim identifier is an approach according to claim 8 characterized by being transmitted 
on a control channel. 

[Claim 15] It is the approach of transmitting the program corresponding to at least one program package to 
two or more end users. (A) The step which provides said end user with entitlement information based on 
the set of the program acquired by said end user, (B) The step enciphered using the program key obtained 
by applying a Hash Function to the master key based on the binary value of each bit position of said 
program identifier for the program which has a program identifier recurrently, (C) Have further the step 
which transmits said program identifier to said end user with the enciphered program, and if said end user 
is a just user of said program Said end user is an approach characterized by obtaining said program key 
from the memorized entitlement information. 

[Claim 16] Said program identifier is an approach according to claim 15 characterized by applying one of 
said the Hash Functions to each location of n bits of said program identifier according to the bit value to 
which it becomes from n bits and said program identifier corresponds. 

[Claim 17] The approach according to claim 15 characterized by including some key trees based on the set of 
the program acquired by said end user in said entitlement information. 

[Claim 18] Said end user is an approach according to claim 15 characterized by using said program identifier 
in order to obtain said program key from said memorized entitlement information. 

[Claim 19] Said program identifier is an approach according to claim 15 characterized by interleaving with 
transmission of said encryption program. 

[Claim 20] Said program identifier is an approach according to claim 15 characterized by being transmitted 
on a control channel. 

[Claim 21] The step which receives the entitlement information which is the approach of decoding the 
enciphered program and contains at least one middle key from a key tree based on the set of the program 
which said customer acquired from the provider of the (A) aforementioned program, (B) The encryption 
program enciphered by the program key, and the step which receives a program identifier, (C) Approach 
characterized by having the step which obtains said program key from the part said program identifier and 
said key tree were remembered to be, and the step which decodes said encryption program using the (D) 
aforementioned program key. 

[Claim 22] It is the approach according to claim 21 which said program identifier consists of n bits, and said 
master key is arranged on the root of said key tree, and is characterized by generating said key tree when 
said key tree applies a Hash Function to each node until the tree level of n is made. 
[Claim 23] It is the approach of decoding the enciphered program. From the provider of the (A) 
aforementioned program The step which receives the entitlement information which contains at least one 
middle key from the key tree based on the set of the program which a customer acquires, (B) The encryption 
program enciphered by the program key, and the step which receives a program identifier, (C) The step 
which obtains said program key from the part the key tree was remembered to be from said program 
identifier and said middle key by applying a Hash Function to said middle key recurrently based on the 
binary value of said program identifier, (D) Approach characterized by having the step which decodes said 
encryption program using said program key. 

[Claim 24] It is the approach according to claim 23 which said program identifier consists of n bits, and said 
middle key corresponds to the intermediate node in the level r of said key tree, and is characterized by 
carrying out n-r time application of said Hash Function at said middle key. 

[Claim 25] The memory which is the system which transmits the program which restricts access to an end 
user, and memorizes the (A) master key and a computer readout possible code, (B) It has the processor 
connected with said memory in actuation. This processor (a) The program identifier which has a binary 
value is assigned to said program, (b) Define at least one master key and said program is enciphered using a 
program key by applying at least one Hash Function to said master key based on the binary value of the (c) 



aforementioned program identifier, (d) System characterized by constituting so that an encryption program 
may be transmitted to said end user with said program identifier. 

[Claim 26] The memory which is the system which transmits the program to which access to an end user 
was restricted, and memorizes the (A) master key and the code which can be computer read, (B) It has the 
processor connected with said memory on actuation. Said processor (a) The program key obtained by 
applying a Hash Function to a master key recurrently based on the binary value of each bit position of said 
program identifier is used. The system characterized by constituting so that this program that enciphered 
this program that has a program identifier and was enciphered by the (b) aforementioned end user, and said 
program identifier may be transmitted. 

[Claim 27] The memory which is the system which decodes the enciphered program and memorizes the (A) 
master key and the code which can be computer read, (B) It has the processor connected with said memory 
on actuation. Said processor (a) The entitlement information containing the part of the key tree based on the . 
set of the program acquired by said customer is received from the provider of this program, (b) The 
encryption program enciphered by the program key and a program identifier are received, (c) System 
characterized by obtaining said program key from said part said program identifier and said key tree were 
remembered to be, and constituting so that said encryption program may be decoded using the (d) 
aforementioned program key. 

[Claim 28] It is the medium by which the code means which can be computer read was mounted and which 
can be computer read. This means that can be computer read assigns the program identifier which has (a) 
binary value at the time of actuation to a program, (b) Define at least one master key and the program key 
obtained by applying at least one Hash Function to said master key based on the binary value of the (c) 
aforementioned program identifier is used. The medium which is characterized by transmitting this 
program that enciphered this program and was enciphered with the (d) aforementioned program identifier 
to an end user and which can be computer read. 

[Claim 29] It is the medium by which the code means which can be computer read was mounted and which 
can be computer read. This means that can be computer read receives the entitlement information 
containing the part of the key tree based on the set of the program acquired by the (a) aforementioned 
customer at the time of actuation from the provider of this program, (b) The encryption program enciphered 
by the program key and a program identifier are received, (c) Medium which is characterized by obtaining 
said program key from said part said program identifier and said key tree were remembered to be, and 
decoding said encryption program using the (d) aforementioned program key and which can be computer 
read. 
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DETAILED DESCRIPTION 



[Detailed Description of the Invention] 
[0001] 

[Field of the Invention] This invention relates to the system which transmits the program decoded with the 
memorized entitlement information using the program identifier used by the set top terminal, in order to 
obtain a decode key required to decode a program especially about the system which restricts access to the 
contents of transmitting programming. 
[0002] 

[Description of the Prior Art] It is still more important that a service provider like a cable television operator 
or a digital satellite service operator offers the package of the channel to which a majority of a television 
viewer's population is satisfied, or a program as the number of channels with an available television viewer 
increases and the range of the available contents of programming increases in number by such channel. 
Generally development of the package with which a customer is provided is a marketing function. A service 
provider is wanted to offer the package of various sizes generally. For example, they are all programs, the 
combination between them, etc. from one program. 

[0003] A service provider usually broadcasts a television program from the transmitter called a "head end" 
to many customers. Each customer is usually concerned with a part of programming to receive. For 
example, in a broadcast environment, any man can receive programming transmitted with a suitable 
receiver like an antenna or a satellite disk. In order to restrict access of a program only to the normal 
customer who purchased the package, a service provider usually enciphers a transmitting program and 
contains 1 or two or more code machines in a customer. A set top terminal (STT) is offered. By such 
approach, a set top terminal receives encryption transmission and the program which a customer looks at is 
enciphered. Nothing is carried out but this. 

[0004] In order that the confidentiality memorized in the set top terminal may make piracy of high 
information min, a set top terminal is usually equipped with a secure processor or secure memory. This 
secure memory has the capacity of several kilobits order, and memorizes a code key. Generally secure 
memory is not volatility but tamper REJISUTANTO. Moreover, secure memory has that it can write [ much 
] in and can carry out the rep ro gram of the key for every accounting period. Since the secure memory 
capacity of the conventional set top terminal is restricted, the number of the keys memorized will be 
restricted and the number of the packages which a service provider offers will also be restricted. The 
number of the programs which a service provider broadcasts to the accounting period of a moon unit may 
usually be the order of 200,000. 

[0005] The conventional set top terminal has a thing containing bit VEKUTORU which has a bit entry 
corresponding to each package of the program which a service provider offers. If a specific customer is the 
normal addressee of a package, the bit entry in the bit vector memorized in a set top terminal will be set to 
"1." After that, all the programs that a service provider transmits are enciphered by one key. If a program is 
received, a set top terminal will judge whether the bit entry which accesses and corresponds to a bit vector is 
set. If the bit entry is set, as for a set top terminal, a program will be decoded using one memorized code 



machine. 

[0006] Although it seems to a theory top that flexibility is attained by the bit vector method by offering one 
bit entry to each package (a package consisting of one program generally), the die length of a bit vector is 
not practical in the system which transmits many programs to one accounting period. Moreover, the access 
control in such a system is exclusively given by the entry in a bit vector, and is not code-like (cryptographic). 
Therefore, if a customer can write in a bit vector and can set all bits to "1", a customer will be able to access 
all programs. 

[0007] Moreover, a program is divided into each package and there are some as which all the programs in a 
package are enciphered using the same key. Each package corresponds to one television channel. A set top 
terminal memorizes the decode key to each package the customer of whose is a normal addressee. 
Therefore, if a program is included in two or more packages, that program must be broadcast again for 
corresponding each package of every, and will be enciphered in this the transmission of each by the code 
key corresponding to a specific package. Although it is cryptography-like [ an access control ], by the 
overhead about broadcasting programming again repeatedly, it will not be realistic, and will carry out 
arranging the same program as much packages, and flexibility will be restricted in the design of the package 
of a program. 

[0008] although the conventional system which encipher such contents of a program and be transmit be 
comparatively successful about restrict access only to a normal customer , it have not make it possible to 
provide a customer with the package with which a large number which include much programs , without 
make an overhead increase fairly differ , without a service provider like a television network exceed the 
secure memory capacity to which the set top terminal be restricted . The cryptography-approach arid 
equipment which restrict access to the contents of transmitting programming to the "Vspace system" 
indicated by the United States patent applications 08/912186 (August 15, 1997 apphcation) are indicated. 
[0009] Each program in a Vspace system is enciphered by the head end server before transmission using the 
program key kP. Each program key is the linearity combination of the set with which the master key M was 
defined. The program identifier which identifies a program is transmitted with the contents of encryption 
programming. A customer's set top terminal can obtain a decode key only from the entitlement information 
recorded on the program identifier p which received, and the front. A Vspace system offers a 
cryptography-access-control mechanism, enabling the package which is supple, without extending a 
program header fairly (only a program identifier being transmitted with a program). It is because it is not 
necessary to broadcast a program again for corresponding each package of every. 
[0010] 

[Means for Solving the Problem] Generally, the contents of programming enciphered by 1 or two or more 
customers by the service provider using the transmitter thru/or the head end server are transmitted. The 
program identifier p used for identifying a program is transmitted to a customer with the contents of 
programming. Each customer has other devices in which access restricted to transmitting multimedia 
information using the set top terminal thru/or the decode key is given. A set top terminal receives 1 which 
can receive to normal at a period with a customer, or the entitlement information corresponding to the 
package of two or more programs from a head end. 

[0011] Each program is enciphered by the head end server before transmission using the program key kp. 
the program key kp of an individual ~ the program - unique ~ making . In addition to transmission of the 
enciphered program, a head end server transmits the program identifier p to a set top terminal. A set top 
terminal obtains a decode key required to decode a program using the program identifier p which received 
with the memorized entitlement information. In this approach, if a customer is the normal user of a specific 
program, a set top terminal can obtain the program key kp enciphered using the information memorized 
and received, and can decode the program enciphered using that program key kp after that. In an example, 
the program identifier p can be interleaved to a part of program, and can be transmitted on a separate 



exclusive control channel. 

[0012] Each of k-bit program key kp used for enciphering a transmitting program can be obtained by 
applying 1 or two or more pseudo-random Hash Functions to a master key m. As an example. Hash 
Function H which doubles die length can be used. Therefore, Hash Function H takes a k bit binary value, 
and makes the binary value of the die length of 2k. The output of Hash Function H can be expressed as pair 
HO of k-bit binary value as HI. Here, HO can be identified as a left half of the output of the Hash Function 
concerned, and HI can be identified as a right half of the output of the Hash Function concerned. 
[0013] As an example, the program key kp can be obtained according to the binary value to which each bit 
position of the program identifier p corresponds by applying recurrently Hash Functions HO or HI to a 
master key. Therefore, if the program identifier p consists of m bits, one side of Hash Functions HO or HI 
will be applied to each bit position of n of the program identifier p according to the bit value to which the 
program identifier p corresponds. First, one side of Hash Functions HO or HI is applied to a master key 
according to the binary value which is the leftmost digit bit of the program identifier p. After that, according 
to the binary value of a corresponding bit, one side of Hash Functions HO or HI is applied to the result of a 
pre- hash operation to each remairung bit position (n-1). Count of the program key kp can be expressed as 
follows. 
[Equation 1] 

[0014] Such a hash operation can be expressed in relation to n level binary tree T (called a key tree) by which 
the root 2 master key m of a tree is arranged. A tree is generable by applying Hash Functions HO and HI to 
each node until a desired number of tree-level (n) is made. The program key kp corresponds to the leaf (leaf) 
node in the bottom (bottom) level of a tree. The binary index (the same the program identifier [ And ] p) 
corresponding to each program key kp corresponds to the pass (way) which passes along the key tree from 
the root to a desired leaf node. Therefore, the index thru/or label of Node u is cormection of the label on H 
on the pass from the root to Node u. T (u) can calculate any key of the program in subtree T (u) by carrying 
out time (n-r) actuation of the Hash Fvinction to the internal node u (ul, ur) in depth r in the subtree 
which makes Node u the root, i.e., the key tree which has the partial program identifier p showing the set of 
the program identifier p corresponding to the leaf in the subtree of Node u. 
[0015] 

[Embodiment of the Invention] Drawing 1 has shown the network environment which transmits video, an 
audio, and encryption multimedia information like data to 1 or two or more customers who have the set top 
terminals 400-401 through 1 or two or more distribution networks 110 using a transmitter like the head end 
server 300 from a service provider. This head end server 300 argues in relation to drawing 3 in the bottom, 
and argues about the set top terminal 400 in relation to drawing 4 in the bottom. In this specification, a set 
top terminal includes any device in which access restriction is given to the multimedia information 
transmitted using the decode key. For example, a computer configuration and a communication link device 
are included. A service provider may download the software which a set top terminal performs. A network 
110 can be made into the wireless broadcasting network which distributes contents of programming like 
digital satellite service (DSSTM), a cable television network (CATV), a public switching network (PSTN), an 
optical network, ISDN, and a cable network like the Internet. 

[0016] The set top terminal 400 receives entitlement information intermittently from the head end server 300, 
and enables a customer to access the program whose customer is a registered user between a certain time 
intervals (for example, accounting period). In this specification, a package is the set of a predetermined 
program and a certain program can belong to 1 or two or more packages. A program means all of , 
continuous multimedia transmission of the episode of television, or specific die length like a movie. 
Entitlement information is downloadable in the set top terminal 400 from the head end server 300 using 



which suitable secure one way or bidirectional protocol. 

[0017] Program key and program identifier each transmitting program is enciphered by the head end server 
300 using the program key kp. This program key kp can be made unique to a program. Suitable encryption 
and a security technique are indicated by reference, B.Schneier, and Apphed Cryptography (2d ed.l997). In 
addition to transmission of an encryption program, the head end server 300 also transmits a n bit program 
identifier to the set top terminal 400. This is used by the set top terminal 400 with the memorized entitled 
information, and as shown in a detail, it obtains a decode key reqmred to decode a program in the bottom. 
[0018] The program identifier p is not chosen as arbitration so that the item of the bottom entitled 
assigrunent of the program identifier to a program may explain. In a desirable example, the program 
identifier p can consist of the 32-bit value transmitted in the ECM field specified to MPEG-2 criterion. In this 
case, if it is the registered user of the program of specification [ a customer ], the set top terminal 400 can 
obtain the program key kp from the information memorized and received, and it can use the program key 
kp so that an encryption program may be decoded after that. 

[0019] According to the further description of this invention, each of the k-bit program key kp used for an 
encryption transmitting program can be obtained by applying 1 or two or more pseudo-random Hash 
Functions to a master key m. Explanation of a suitable pseudo-random Hash Function is indicated by 
reference and O.Goldreich et al. and "How to Construct Random Functions" J.ACM and 33:792-807 (1986). 
[0020] As an example, it is secure in cryptography, and the Hash Function which doubles die length is used 
as follows. 

H: {0, 1} k->{0, l}2k - here, k is the die length of the program key kp. Therefore, Hash Function H takes the 
binary value of k bits, and makes the binary value of die-length 2k. The output of this Hash Function H can 
be expressed as pair HO of a k bit binary value as HI. Here, HO is the left-hand side one half (left-hand side 
digit bit) of the output of Hash Function H, and is H. {1} is the right-hand side one half (right-hand side digit 
bit) of the output of Hash Function H. HO and HI can be called a separate Hash Function. 
[0021] If it is k= 160, H can be specified using secret hash standard SHA-1 which is indicated by reference. 
Secure Hash Standard, National Institute of Standards and Technology, NIST FIPS PUB 180-1, and 
U.S.Dept.of Commerce (April, 1995). That is, HO is set to SHA-1 (x 1 1 0), and HI hims into SHA-1 (x I 1 1). 
Here, 0 and 1 are the bit stiings of all the bit strings 1 of 0 altogether, respectively. 

[0022] The program key kp can be obtained by applying recurrentiy 1 or two or more Hash Fimctions to a 
master key m according to the binary value of the program identifier p. As an example, the program key kp 
can be obtained by applying recurrently one side of Hash Functions HO or HI to a master key m according 
to the binary value of each bit position of the program identifier p. Generally, if the program identifier p 
consists of n bits, according to the bit value to which the program identifier p corresponds, one side of Hash 
Functions HO or HI will be applied to each of the bit position of n of the program identifier p (it starts from 
a leftmost bit). 

[0023] One side of Hash Functions HO or HI is first applied to a master key according to the binary value 
which is a leftmost digit bit. After that, according to the binary value which is the bit to which one side of 
Hash Functions HO or HI corresponds, it is applied to the result of pre- hash actuation to each remaining bit 
position (n-1). This hash actuation can be expressed as follows so that the item of a title called lower "key 
tree" may explain. 
[Equation 2] 

[0024] As mentioned above, the head end server 300 transmits the program identifier p with an encryption 
program. Therefore, if the program identifier p is given, the set top terminal 400 must obtain the program 
key kp used for decode of a receiving agent. As mentioned above, the program key kp can be obtained by 
applying recurrently 1 or two or more Hash Fimctions to a master key m according to the binary value of 



the program identifier p. The program key kp must be obtained by a customer's set top terminal 400, using 
indirectly the memorized entitlement information and the program identifier p which received which is 
explained in the bottom. 

[0025] As explained on the key tree, the program key kp can be obtained by using recurrently 1 or two or 
more Hash Functions for a master key m according to the binary value of the program identifier p. The k-bit 
single master key m is used. The bit of the program identifier p can be expressed as p= (pi, pn). Here, pi 
is a leftmost digit bit and is a rightmost digit bit. The cryptographic key kp to the program which has the 
program identifier p can be defined as follows. 
[Equation 3] 

K^=H^_{...ff^^(H^im))...) 

[0026] Hash actuation can be expressed as a perfect n level binary tree T like the key tree 200 shown in 
drawing 2 . The key tree 200 shown in drawing 2 corresponds to the example of mounting which has the 
program identifier p which consists of a triplet. As shown in drawing 2 , a master key m is arranged on the 
root 210 of a tree 200. The program key kp corresponds to a leaf node like leaf nodes 240-247. The index 
corresponding to each program key kp shown in drawing 2 like the index Oil corresponding to the program 
key kp of the DERIFU node 243 shows the pass which lets the key tree 200 from the root 210 to a leaf node 
243 pass. For example, the program key kp of 243 can be obtained by following with the left edge (HO) from 
the root 210, the right edge (HI) from a node 220, and the right edge (HI) from a node 232. That is, HI is 
further applied for HO to the 2nd hash result. The program key kpOll can be obtained. 
[0027] Therefore, the label of a node u like a node 243 is what cormected the label on the edge of the pass to 
Node u from the root 210. The label of each node can be specified by the program identifier p. Since the 
subtree which makes Node u the root is expressed, T (u) is used (namely, since the set of the program 
identifier p corresponding to the leaf in the subtree of Node u is expressed). The internal node u in depth r 
in the key tree 200 has the partial program identifier p (ul, ur), and can calculate the key of which 
program in subtree T (u) to these. Any key of the program in the subtree of Node u is calculable by carrying 
out time (n-r) actuation of the Hash Function. Specifically, it uses so that the value of each bit of the low 
digit of (n-r) of the program identifier p may direct suitable Hash Functions HO or HI. Therefore, the 
program key kp corresponding to Node u can function as an entitlement to all the programs in the subtree 
of Node u. 

[0028] If Function H is a pseudo-random generator, mapping kp{0, 1} ->[ n] {0, 1} k of the program key 
which the master key m parameterized is a pseudo-random function. This is indicated by reference, and 

0. Goldreich et al. and "How toConstruct Random Functions" J.ACM and 33:792-807 (1986). 

[0029] System component drawing 3 is the block diagram showing the head end server's 300 AKI theque 
char. A head end shall be related with the service provider of the arbitration which transmits a television 
network, a cable employment person, a digital satellite service employment person, or the contents of 
encryption programming, the head end server 300 ~ for example, IBM ~ it can mount with RS6000 server 
which Corp(s) and manufactures, and the function and actuation of this invention can be performed. The 
head end server 300 is equipped with related memory like a processor 310 and the data storage device 320. 
A processor 310 may be mounted as a single processor and may be mounted as some processors which 
operate to juxtaposition. The data storage device 320 and ROM are made to memorize 1 or two or more 
instructions, and a processor 310 enables it to perform by taking out and interpreting. 

[0030] As mentioned above, the data storage device 320 is equipped with the master key database 350 which 
memorizes a master key m. For example, a master key m can be updated like [ for every accounting period 

1. Moreover, the data storage device 320 has the program database 500 so that it may explain in relation to 
drawing 5 in the bottom. The program database 500 presents the program identifier p and the related 
package corresponding to each program, moreover, drawing 7 R> — the data storage device 320 has the 



entitlement information delivery process 700 and the program delivery process 800 so that it may explain in 
relation to 7 and 8. 

[0031] Generally, the entitlement information delivery process 700 generates and distributes the entitlement 
information which each customer needs to accessing the program which is a registered user. Moreover, the 
program dehvery process 800 obtains the program key kp based on the program identifier p assigned to the 
program, in ordel- to encipher a program and to transmit by the program identifier p. 
[0032] The communication link port 330 links the head end server 300 to each cormected receiver like the set 
top terminal 400 which showed the head end server 300 to the network 110 at a bond and drawing 1 . 
[0033] Drawing 4 is ihe block diagram showing the AKI theque char of the set top terminal 400. The set top 
terminal 400 can be mounted as a set top terminal (STT) corresponding to television, and it can be changed 
so that the function and actuation of this invention may be performed. The set top terminal 400 is equipped 
with a processor 410 and memory like data storage 420, and the commurucation link port 430, and operates 
by the same approach as the above hardware relevant to drawing 3 . 

[0034] Data storage 420 is equipped with the entitlement database 600 memorizable into the secure part of 
data storage 420 so that it may explain in relation to drawing 6 in the bottom. The entitlement database 600 
contains the part of the key tree 200 required in order that a customer may get the program key kp to the 
program which has an entitlement. Moreover, data storage 420 is equipped with Hash Functions HO and HI 
(440). Moreover, data storage 420 includes the decoding process 900 so that it may explain in relation to 
drawing 9 in the bottom. Generally, using the program identifier p received in order to obtain the prograrh 
key kp, and the memorized entitlement information 600, in order to decode a program, the program key kp 
is used for the decoding process 900, and it decodes the program whose customer has an entitlement. 
[0035] Drawing 5 shows the program database 500 which memorizes information on each program p 
transmitted by the head end server 300. This information is transmitted to for example, an accovmting 
period with the program identifier p to which that program belongs and which packs and corresponds. The 
program database 500 holds two or more decodings like records 505-520. These are related with a different 
program, respectively. The program database 500 contains the program identifier p which corresponds in 
the field 535 including directions of the corresponding package with which the program belongs in the field 
530 to each program identifier identified by the program name in the field 525. 

[0036] Drawing 6 shows the entitlement database 600 containing the part of the key tree 200 required for a 
customer to get the program key kp to the program which has an entitlement. As mentioned above, T (u) 
expresses the set of the program identifier p corresponding to the leaf nodes 240-247 in the subtree which 
makes Node u the root, i.e., the subtree of Node u. For example, supposing a customer has an entitlement 
about receiving four programs corresponding to leaf nodes 240-243, entitlement information will consist of a 
middle key corresponding to a node 220. In this approach, if needed, suitable Hash Functions HO and HI 
(440) can be used in order to obtain the program key kp to each nodes 230, 232, 240-243 in the subtree of a 
node 220. 

[0037] The entitlement database 600 shown by drawing 6 is a registered user who receives four programs 
corresponding to leaf nodes 240-243 (there is an entitlement), and is a registered user who receives two 
programs corresponding to leaf nodes 246-247. Therefore, the entitlement information recorded on the 

entitlement database 600 consists of a middle key corresponding to a node 220 and a node 236. nodes 220 
and 236 ~ it is alike, respectively, and it receives, and the entitlement information recorded on the 
entitlement database 600 has the middle key values kio and kill, respectively, and has corresponding 
directions of the partial program identifier p. The approach by which the entitlement database 600 is 
generated by the entitlement information delivery process 700 based on the package of the program which 
the customer chose is explained in relation to drawing 7 in the bottom. 

[0038] A small entitlement is establishable to the set of many programs of various sizes using the tree 
method of program packaging this invention. The target set S is established using the set of the program 



packed. The minimum set of a tree node with which a subtree covers the target set S correctly is obtained as 

follows. 

[Equation 4] 

TiS) = Z qT fztiU [jnu) = s . |z| rim/> 

[0039] The entitlement information over Package S is the set ki of the middle key held in the node of T (S). 
As shown in a top, the set top terminal 400 decodes the program in S (accepting it) correctly with the set of 
this key. Theoretically, the tree method of this invention can build the entitlement information over the 
target set S of which arbitration, furthermore — however, if the program identifier p is assigned to 
arbitration, entitlement information will become so large that it is not allowed for the secure memory to 
which the set top terminal 400 was restricted. 

[0040] a process - as mentioned above, the head end server 300 performs the entitlement information 
delivery process 700 shown in drawing 7 , and generates and distributes the entitlement database 600 
required for each user in order to access the program which is a registered user. As mentioned above, the 
entitlement database 600 consists of corresponding directions and the corresponding middle key value ki of 
a partial program identifier to each node of the key tree 200 required for a customer to get the program key 
kp to the program which is a registered user. 

[0041] Therefore, the entitlement information delivery process 700 identifies first the program which the 
customer chose (710). After that, the entitlement information delivery process 700 finds minimum set [ of a 
tree node ] T (S). The subtree covers the target set S correctly. The target set S is disassembled to the 
maximum De Dis joint interval of the KONSEICYUTIBU program identifier p (720). Two program identifiers 
p are considered to be KONSEKYUTIBU when the integer over the binary expression is KONSEKYUTIBU. 
[0042] And covering T (S) is found to each interval (730). The corresponding partial program identifier p 
held in the node of covering T (S) to Set ki and each interval of a middle key is generated (740). At the end, 
the generated entitlement information dowrUoads to the set top terminal 400 with the head end server 300 
(750), and program control is completed (760). 

[0043] The number of the intervals in the target set S can be set to I (S). In order to calculate covering T (S) to 
the single interval of the program identifier p to the order of the tree node of n, the key tree 200 of depth n 
must be asked. Therefore, the time amount complexity of the entitlement information delivery process 700 
serves as order of I(S) -n. Similarly, the magniti,ide of minimum covering T (S) serves as order of I(S) -n. The 
program identifier p which enables the program of related contents to carry out packaging of them 
efficiently should be assigned. In an example, a fundamental package is the gestalt of all the program 
identifiers p that have the bit prefix mu. 

[0044] The entitlement of such a single topic package is a single ke;y in the key tree 200. Moreover, a 
multi-topic package can be assembled without a side effect. Entitlement information is only the set of a key 
to each TOPICS which consists of a multi-TOPICS package. According to this invention, the package 
specified by Prefix mu does not force to the set top terminal 400 so that a program may be decoded using 
zero prefix of the same die length. 

[0045] As mentioned above, the head end server 300 performs the program delivery process 800 shown in 
drawing 8 , and in order to decode a program and to transmit using the program identifier p, he gets the 
program key kp based on the program identifier p assigned to the program and the master key m. The 
program delivery process 800 is important for performing in off-line thru/or the real time except an actual 
transmitting step. As shown in drawing 8 , the program delivery process 800 starts the process using the 
principle of this invention by identifying the program which should be transmitted (810). 
[0046] After that, the program delivery process 800 takes out the program identifier p corresponding to the 
program from the program database 500 (820), and calculates the program key kp corresponding to the 



program (830). And a program is enciphered using the program key kp calculated at the front step (840). 
Finally, the program delivery process 800 transmits the program enciphered with the program identifier p 
(850), and program control ends it (860). 

[0047] It is important to suppose that it is possible to obtain the program key kp required for the program 
identifier p to be interleaved periodically, able to transmit it through transmission of program information, 
and for a customer change a charmel at the time of a program, and decode a program. In another example, 
the program identifier p can be continuously transmitted on another control channel like a Barker channel. 
[0048] As mentioned above, the set top terminal 400 performs the decoding process 900 shown in drawing 9 
, using the entitlement information 600 and the received program identifier p memorized in order to obtain 
the program key kp, in order to decode the program, the program key kp is used and a customer decodes 
the program by which the entitlement is carried out. As shown in drawing 9 , the decoding process 900 
starts the process which used the principle of this invention on the occasion of the reception of the customer 
directions made to tune up to a specific channel (910). 

[0049] After that, the set top terminal 400 receives the suitable signal containing the enciphered program 
identifier p which was programmed and transmitted (920). The decoding process 900 takes out the 
entitlement information memorized from the entitlement database 600 (930). It judges whether the 
transmitted program is included (940). When the entry which has the partial-program identifier p which 
agrees in the leftmost digit bit of the receiving-agent identifier p at step 940 is judged not to exist in the 
entitlement database 600, a customer does not have an entitlement to the selected program and program 
control is ended (980). 

[0050] However, if an entry exists in the entitlement database 600 which has the partial-program identifier p 
corresponding to the leftmost digit bit of the received program identifier p, a customer has an entitlement to 
the selected program. Therefore, the program key kp is calculated using the middle key ki taken out from 
the entry of the entitlement database 600 (960). Specifically, the program key kp is calculated by operating 
suitable Hash Functions HO or HI so that each value of the bit of the low (n-r) order of the program 
identifier p may direct as follows. 
[Equation 5] 

[0051] Finally, the program is decoded using the obtained program key kp (970), and ends program control 
(980). When the received program is not a part of a customer's entitlement here, it is important that there is 
no entitlement information which has the partial identifier p corresponding to the low bit of the program 
identifier p which received with the transmitting program in the entitlement database 600. 
[0052] The decoding process 900 obtains a decode key, or moreover, as mentioned above Before a customer 
judges whether there is any entitlement to a demand channel In order that it can wait for a customer to 
demand a specific charmel and the decoding process 900 may obtain the transmitting program identifier p 
instead, all channels are scanned periodically. It is important that the decode key to the storage in data 
storage 420 can be obtained, and a customer's entitlement can be judged beforehand again. 
[0053] a suitable Hash Function ~ as mentioned above, if Hash Function H is a pseudo-random bit 
generation machine, it can prove that mapping of p->kp is a pseudo-random function. Therefore, a code key 
cannot be predicted if actual Hash Function H is strong in cryptography. Therefore, if a piracy person has 
access only to encryption program broadcasting, it will not be able to break through a code in the 
knowledge about the key generated using the tree method of this invention. Therefore, only one concerns 
only become ensuring that video encryption algorithm can oppose to a weU-known plain text attack. 
[0054] Hash Function H should hold two properties. Calculating Input x has that it must be difficult noting 
that the one half HO of an image (x) or HI (x) is given to the 1st to Hash Function H. Though this knows the 
image of both these one half, it is actually materialized also to the cryptography-hash [ which ] H with it 



difficult [ to carry out an inverted arch ]. Moreover, though HI (x) was known, it must be difficult to 
calculate HO (x), and the reverse of a thing is also the same. Even if it is difficult fundamentally to carry out 
the inverted arch of the function H, when the key of one one half is known, it becomes easier to complete 
the key of the remaining one half. If that is right, the piracy person who knows Program kp to Node u can 
calculate the key to the SHIBURINGU (sibling: sibling) node v, and can calculate the key to all the programs 
in the subtree of Node v. 

[0055] As one advantage of the tree method according to this invention, merge of an entitlement carried out 
in piracy may be made in inefficient. Pair pi, p2, and those ********** of a SHIBURINGU program are 
considered. A piracy person assumes that the program key kp corresponding to the programs pi and p2 of 
both which are two one half of H (kp (u)) is known. A piracy person still cannot do the inverted arch of the 
H, and cannot calculate kp (u). It is because H is a cryptography-Hash Function. Therefore, the entitlement 
carried out in the merged piracy must contain both kp (pi) and kp (p2) instead of compact kp (u). therefore, 
it is not a strategy good for a piracy person to divide to two or more set top terminals 400 which use a 
CHIPU (it is - although ~ it differs) entitlement. It is because a union ****** entitlement becomes very large. 
[0056] As mentioned above, the suitable pseudo-random Hash Fimction is indicated by reference, and 
O.Goldreich et al. and "How to Construct Random Functions" J.ACM and 33:792-807 (1986). 
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TECHNICAL FIELD 



[Field of the Invention] This invention relates to the system which transmits the program decoded with the 
memorized entitlement information using the program identifier used by the set top terminal, in order to 
obtain a decode key required to decode a program especially about the system which restricts access to the 
contents of transmitting programming. 
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PRIOR ART 



[Description of the Prior Art] It is still more important that a service provider like a cable television operator 
or a digital satellite service operator offers the package of the channel to which a majority of a television 
viewer's population is satisfied, or a program as the number of channels with an available television viewer 
increases and the range of the available contents of programming increases in number by such channel. 
Generally development of the package with which a customer is provided is a marketing function. A service 
provider is wanted to offer the package of various sizes generally. For example, they are all programs, the 
combination between them, etc. from one program. 

[0003] A service provider usually broadcasts a television program from the transmitter called a "head end" 
to many customers. Each customer is usually concerned with a part of programming to receive. For 
example, in a broadcast environment, any man can receive programming transmitted with a suitable 
receiver like an antenna or a satellite disk. In order to restrict access of a program only to the normal 
customer who purchased the package, a service provider usually enciphers a transmitting program and 
contains 1 or two or more code machines in a customer. A set top terminal (STT) is offered. By such 
approach, a set top terminal receives encryption transmission and the program which a customer looks at is 
enciphered. Nothing is carried out but this. 

[0004] In order that the confidentiality memorized in the set top terminal may make piracy of high 
information min, a set top terminal is usually equipped with a secure processor or secure memory. This 
secure memory has the capacity of several kilobits order, and memorizes a code key. Generally secure 
memory is not volatility but tamper REJISUTANTO. Moreover, secure memory has that it can write [ much 
] in and can carry out the repro gram of the key for every accounting period. Since the secure memory 
capacity of the conventional set top terminal is restricted, the number of tiie keys memorized will be 
restricted and the number of the packages which a service provider offers will also be restricted. The 
number of the programs which a service provider broadcasts to the accounting period of a moon unit may 
usually be the order of 200,000. 

[0005] The conventional set top terminal has a thing containing bit VEKUTORU whigh has a bit entry 
corresponding to each package of the program which a service provider offers. If a specific customer is the 
normal addressee of a package, the bit entry in the bit vector memorized in a set top terminal will be set to 
"1." After that, all the programs that a service provider transmits are enciphered by one key. If a program is 
received, a set top terminal will judge whether the bit entry which accesses and corresponds to a bit vector is 
set. If the bit entry is set, as for a set top terminal, a program will be decoded using one memorized code 
machine. 

[0006] Although it seems to a theory top that flexibility is attained by the bit vector method by offering one 
bit entry to each package (a package consisting of one program generally), the die length of a bit vector is 
not practical in the system which transmits many programs to one accounting period. Moreover, the access 
control in such a system is exclusively given by the entry in a bit vector, and is not code-like (cryptographic). 
Therefore, if a customer can write in a bit vector and can set all bits to "1", a customer will be able to access 
all programs. 



[0007] Moreover, a program is divided into each package and there are some as which all the programs in a 
package are enciphered using the same key. Each package corresponds to one television channel. A set top 
terminal memorizes the decode key to each package the customer of whose is a normal addressee. 
Therefore, if a program is included in two or more packages, that program must be broadcast again for 
corresponding each package of every, and will be enciphered in this the transmission of each by the code 
key corresponding to a specific package. Although it is cryptography-like [ an access control ], by the 
overhead about broadcasting programming again repeatedly, it will not be realistic, and will carry out 
arranging the same program as much packages, and flexibility will be restricted in the design of the package 
of a program. 

[0008] although the conventional system which encipher such contents of a program and be transmit be 
comparatively successful about restrict access only to a normal customer , it have not make it possible to 
provide a customer with the package with which a large number which include much programs , without 
make an overhead increase fairly differ , without a service provider like a television network exceed the 
secure meinory capacity to which the set top terminal be restricted . The cryptography-approach and 
equipment which restrict access to the contents of transmitting programming to the "Vspace system" 
indicated by the United States patent applications 08/912186 (August 15, 1997 application) are indicated. 
[0009] Each program in a Vspace system is enciphered by the head end server before transrmssion using the 
program key kP. Each program key is the linearity combination of the set v^th which the master key M was 
defined. The program identifier which identifies a program is transmitted with the contents of encryption 
programming. A customer's set top terminal can obtain a decode key only from the entitlement information 
recorded on the program identifier p which received, and the front. A Vspace system offers a 
cryptography-access-control mechanism, enabling the package which is supple, without extending a 
program header fairly (only a program identifier being transmitted with a program). It is because it is not 
necessary to broadcast a program again for corresponding each package of every. 
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MEANS 



[Means for Solving the Problem] Generally, the contents of programming enciphered by 1 or two or more 
customers by the service provider using the transmitter thru/or the head end server are transmitted. The 
program identifier p used for identifying a program is transmitted to a customer with the contents of 
programming. Each customer has other devices in which access restricted to transmitting multimedia 
information using the set top terminal thru/or the decode key is given. A set top terminal receives 1 which 
can receive to normal at a period with a customer, or the entitlement information corresponding to the 
package of two or more programs from a head end. 

[0011] Each program is enciphered by the head end server before transmission using the program key kp. 
the program key kp of an individual ~ the program ~ unique ~ making . In addition to transmission of the 
enciphered program, a head end server transmits the program identifier p to a set top terminal. A set top 
terminal obtains a decode key required to decode a program using the program identifier p which received 
with the memorized entitlement information. In this approach, if a customer is the normal user of a specific 
program, a set top terminal can obtain the program key kp enciphered using the information memorized 
and received, and can decode the program enciphered using that program key kp after that. In an example, 
the program identifier p can be interleaved to a part of program, and can be transmitted on a separate 
exclusive control channel. 

[0012] Each of k-bit program key kp used for enciphering a transmitting program can be obtained by 
applying 1 or two or more pseudo-random Hash Functions to a master key m. As an example, Hash 
Function H which doubles die length can be used. Therefore, Hash Function H takes a k bit binary value, 
and makes the binary value of the die length of 2k. The output of Hash Function H can be expressed as pair 
HO of k-bit binary value as HI. Here, HO can be identified as a left half of the output of the Hash Function 
concerned, and HI can be identified as a right half of the output of the Hash Function concerned. 
[0013] As an example> the program key kp can be obtained according to the binary value to which each bit 
position of the program identifier p corresponds by applying recurrently Hash Functions HO or HI to a 
master key. Therefore, if the program identifier p consists of m bits, one side of Hash Functions HO or HI 
will be applied to each bit position of n of the program identifier p according to the bit value to which the 
program identifier p corresponds. First, one side of Hash Functions HO or HI is appHed to a master key 
according to the binary value which is the leftmost digit bit of the program identifier p. After that, according 
to the binary value of a corresponding bit, one side of Hash Functions HO or HI is applied to the result of a 
pre- hash operation to each remaining bit position (n-1). Count of the program key kp can be expressed as 
follows. 
[Equation 1] 

[0014] Such a hash operation can be expressed in relation to h level binary tree T (called a key tree) by which 
the root 2 master key m of a tree is arranged. A tree is generable by applying Hash Functions HO and HI to 



each node until a desired number of tree-level (n) is made. The program key kp corresponds to the leaf (leaf) 
node in the bottom (bottom) level of a tree. The binary index (the same the program identifier [ And ] p) 
corresponding to each program key kp corresponds to the pass (way) which passes along the key tree from 
the root to a desired leaf node. Therefore, the index thru/or label of Node u is connection of the label on H 
on the pass from the root to Node u. T (u) can calculate any key of the program in subtree T (u) by carrying 
out time (n-r) actuation of the Hash Function to the internal node u (ul, ur) in depth r in the subtree 
which makes Node u the root, i.e., the key tree which has the partial program identifier p showing the set of 
the program identifier p corresponding to the leaf in the subtree of Node u. 
[0015] 

[Embodiment of the Invention] Drawing 1 has shown the network environment which transmits video, an 
audio, and encryption multimedia information like data to 1 or two or more customers who have the set top 
terminals 400-401 through 1 or two or more distribution netu'orks 110 using a transmitter like the head end 
server 300 from a service provider. This head end server 300 argues in relation to drawing 3 in the bottom, 
and argues about the set top terminal 400 in relation to drawing 4 in the bottom. In this specification, a set 
top terminal includes any device in which access restriction is given to the multimedia information 
transmitted using the decode key. For example, a computer configuration and a communication link device 
are included. A service provider may download the software which a set top terrninal performs. A network 
110 can be made into the wireless broadcasting network which distributes contents of programming like 
digital satellite service (DSSTM), a cable television network (CATV), a public switching network (PSTN), an 
optical network, ISDN, and a cable network like the Internet. 

[0016] The set top terminal 400 receives entitlement information intermittently from the head end server 300, 
and enables a customer to access the program whose customer is a registered user between a certain time 
intervals (for example, accounting period). In this specification, a package is the set of a predetermined 
program and a certain program can belong to 1 or two or more packages. A program means all of 
continuous multimedia transmission of the episode of television, or specific die length like a movie. 
Entitlement information is downloadable in the set top terminal 400 from the head end server 300 using 
which suitable secure one way or bidirectional protocol. 

[0017] Program key and program identifier each transmitting program is enciphered by the head end server 
300 using the program key kp. This program key kp can be made unique to a program. Suitable encryption 
and a security techiuque are indicated by reference, B.Schneier, and Applied Cryptography (2d ed.l997). In 
addition to transniission of an encryption program, the head end server 300 also transmits a n bit program 
identifier to the set top terminal 400. This is used by the set top terminal 400 with the memorized entitled 
information, and as shown in a detail, it obtains a decode key required to decode a program in the bottom. 
[0018] The program identifier p is not chosen as arbitration so that the item of the bottom entitled 
assignment of the program identifier to a program may explain. In a desirable example, the program 
identifier p can consist of the 32-bit value transmitted in the ECM field specified to MPEG-2 criterion. In this 
case, if it is the registered user of the program of specification [ a customer ], the set top terminal 400 can 
obtain the program key kp from the information memorized and received, and it can use the program key 
kp so that an encryption program may be decoded after that. 

[0019] According to the further description of this invention, each of the k-bit program key kp used for an 
encryption transmitting program can be obtained by applying 1 or two or more pseudo-random Hash 
Functions to a master key m. Explanation of a suitable pseudo-random Hash Function is indicated by 
reference and O.Goldreich et al. and "How to Construct Random Functions" J.ACM and 33:792-807 (1986). 
[0020] As an example, it is secure in cryptography, and the Hash Function which doubles die length is used 
as follows. 

H: {0, 1) k->{0, l}2k - here, k is the die length of the program key kp. Therefore, Hash Function H takes the 
binary value of k bits, and makes the binary value of die-length 2k. The output of this Hash Function H can 



be expressed as pair HO of a k bit binary value as HI. Here, HO is the left-hand side one half (left-hand side 
digit bit) of the output of Hash Function H, and is H. {1} is the right-hand side one half (right-hand side digit 
bit) of the output of Hash Function H. HO and HI can be called a separate Hash Function. 
[0021] If it is k= 160, H can be specified using secret hash standard SHA-1 which is indicated by reference. 
Secure Hash Standard, National Institute of Standards and Technology, NIST FIPS PUB 180-1, and 
U.S.Dept.of Commerce (April, 1995). That is, HO is set to SHA-1 (x I 1 0), and HI turns into SHA-1 (x 1 1 1). 
Here, 0 and 1 are the bit strings of all the bit strings 1 of 0 altogether, respectively. 

[0022] The program key kp can be obtained by applying recurrently 1 or two or more Hash Functions to a 
master key m according to the binary value of the program identifier p. As an example, the program key kp 
can be obtained by applying recurrently one side of Hash Functions HO or HI to a master key m according 
to the binary value of each bit position of the program identifier p. Generally, if the program identifier p 
consists of n bits, according to the bit value to which the program identifier p corresponds, one side of Hash 
Functions HO or HI will be applied to each of the bit position of n of the program identifier p (it starts from 
a leftmost bit). 

[0023] One side of Hash Functions HO or HI is first applied to a master key according to the binary value 
which is a leftmost digit bit. After that, according to the binary value which is the bit to which one side of 
Hash Functions HO or HI corresponds, it is applied to the result of pre- hash actuation to each remaining bit 
position (n-1). This hash actuation can be expressed as follows so that the'item of a title called lower "key 
tree" may explain. 
[Equation 2] 

K^=H^^{...H^^{H^(m))...) 

[0024] As mentioned above, the head end server 300 transmits the program identifier p with an encryption 
program. Therefore, if the program identifier p is given, the set top terminal 400 must obtain the program 
key kp used for decode of a receiving agent. As mentioned above, the program key kp can be obtained by 
applying recurrently 1 or two or more Hash Functions to a master key m according to the binary value of 
the program identifier p. The program key kp must be obtained by a customer's set top terminal 400, using 
indirectly the memorized entitlement information and the program identifier p which received which is 
explained in the bottom. 

[0025] As explained on the key tree, the program key kp can be obtained by using recurrently 1 or two or 
more Hash Functions for a master key m according to the binary value of the program identifier p. The k-bit 
single master key m is used. The bit of the program identifier p can be expressed as p= (pi, pn). Here, pi 
is a leftmost digit bit and is a rightmost digit bit. The cr5^tographic key kp to the program which has the 
program identifier p can be defined as follows. 
[Equation 3] 

[0026] Hash actuation can be expressed as a perfect n level binary tree T like the key tree 200 shown in 
drawing 2 . The key tree 200 shown in drawing 2 corresponds to the example of mounting which has the 
program identifier p which consists of a triplet. As shown in drawing 2 , a master key m is arranged on the 
root 210 of a tree 200. The program key kp corresponds to a leaf node like leaf nodes 240-247. The index 
corresponding to each program key kp shown in drawing 2 like the index Oil corresponding to the program 
key kp of the DERIFU node 243 shows the pass which lets the key tree 200 from the root 210 to a leaf node 
243 pass. For example, the program key kp of 243 can be obtained by following with the left edge (HO) from 
the root 210, the right edge (HI) from a node 220, and the right edge (HI) from a node 232. That is, HI is 
further applied for HO to the 2nd hash result. The program key kpOli can be obtained. 
[0027] Therefore, the label of a node u like a node 243 is what connected the label on the edge of the pass to 



Node u from the root 210. The label of each node can be specified by the program identifier p. Since the 
subtree which makes Node u the root is expressed, T (u) is used (namely, since the set of the program 
identifier p corresponding to the leaf in the subtree of Node u is expressed). The internal node u in depth r 
in the key tree 200 has the partial program identifier p (ul, ur), and can calculate the key of which 
program in subtree T (u) to these. Any key of the program In the subtree of Node u is calculable by carrying 
out time (n-r) actuation of the Hash Fimction. Specifically, it uses so that the value of each bit of the low 
digit of (n-r) of the program identifier p may direct suitable Hash Functions HO or HI. Therefore, the 
program key kp corresponding to Node u can function as an entitlement to all the programs in the subtree 
of Node u. 

[0028] If Function H is a pseudo-random generator, mapping kp{0, 1} ->[ n] {0, 1} k of the program key 
which the master key m parameterized is a pseudo-random function. This is indicated by reference, and 

0. Goldreich et al. and "How toConstruct Random Functions" J.ACM and 33:792-807 (1986). 

[0029] System component drawing 3 is the block diagram showing the head end server's 300 AKI theque 
char. A head end shall be related with the service provider of the arbitration which transmits a television 
network, a cable employment person, a digital satellite service employment person, or the contents of 
encryption programming, the head end server 300 ~ for example, IBM - it can moimt with RS6000 server 
which Corp(s) and manufactures, and the function and actuation of this invention can be performed. The 
head end server 300 is equipped with related memory like a processor 310 and the data storage device 320. 
A processor 310 may be mounted as a single processor and may be mounted as some processors which 
operate to juxtaposition. The data storage device 320 and ROM are made to memorize 1 or two or more 
instructions, and a processor 310 enables it to perform by taking out and interpreting. 
[0030] As mentioned above, the data storage device 320 is equipped with the master key database 350 which 
memorizes a master key m. For example, a master key m can be updated like [ for every accounting period 

1. Moreover, the data storage device 320 has the program database 500 so that it may explain in relation to 
drawing 5 in the bottom. The program database 500 presents the program identifier p and the related 
package corresponding to each program, moreover, drawing 7 R> - the data storage device 320 has the 
entitlement information delivery process 700 and the program delivery process 800 so that it may explain in 
relation to 7 and 8. 

[0031] Generally, the entitlement information delivery process 700 generates and distributes the entitlement 
information which each customer needs to accessing the program which is a registered user. Moreover, the 
program delivery process 800 obtains the program key kp based on the program identifier p assigned to the 
program, in order to encipher a program and to transmit by the program identifier p. 
[0032] The communication link port 330 links the head end server 300 to each connected receiver like the set 
top terminal 400 which showed the head end server 300 to the network 110 at a bond and drawing 1 . 
[0033] Drawing 4 is the block diagram showing the AKI theque char of the set top terminal 400. The set top 
terminal 400 can be mounted as a set top terminal (STT) corresponding to television, and it can be changed 
so that the function and actuation of this invention may be performed. The set top terminal 400. is equipped 
with a processor 410 and memory like data storage 420, and the communication link port 430, and operates 
by the same approach as the above hardware relevant to drawing 3 . 

[0034] Data storage 420 is equipped with the entitlement database 600 memorizable into the secure part of 
data storage 420 so that it may explain in relation to drawing 6 in the bottom. The entitlerhent database 600 
contains the part of the key tree 200 required in order that a customer may get the program key kp to the 
program which has an entitlement. Moreover, data storage 420 is equipped with Hash Functions HO and HI 
(440). Moreover, data storage 420 includes the decoding process 900 so that it may explain in relation to 
drawing 9 in the bottom. Generally, using the program identifier p received in order to obtain the program 
key kp, and the memorized entitlement information 600, in order to decode a program, the program key kp 
is used for the decoding process 900, and it decodes the program whose customer has an entitlement. 



[0035] Drawing 5 shows the program database 500 which memorizes information on each program p 
transmitted by the head end server 300. This information is transmitted to for example, an accounting 
period with the program identifier p to which that program belongs and which packs and corresponds, the 
program database 500 holds two or more decodings like records 505-520. These are related with a different 
program, respectively. The program database 500 contains the program identifier p which corresponds in 
the field 535 including directions of the corresponding package with which the program belongs in the field 
530 to each program identifier identified by the program name in the field 525. 

[0036] Drawing 6 shows the entitlement database 600 containing the part of the key tree 200 required for a 
customer to get the program key kp to the program which has an entitlement. As mentioned above, T (u) 
expresses the set of the program identifier p corresponding to the leaf nodes 240-247 in the subtree which 
makes Node u the root, i.e., the subtree of Node u. For example, supposing a customer has an entitlement 
about receiving four programs corresponding to leaf nodes 240-243, entitlement information will consist of a 
middle key corresponding to a node 220. In this approach, if needed, suitable Hash Functions HO and HI 
(440) can be used in order to obtain the program key kp to each nodes 230, 232, 240-243 in the subtree of a 
node 220. 

[0037] The entitlement database 600 shown by drawing 6 is a registered user who receives four programs 
corresponding to leaf nodes 240-243 (there is an entitlement), and is a registered user who receives two 
programs corresponding to leaf nodes 246-247. Therefore, the entitlement information recorded on the 
entitlement database 600 consists of a middle key corresponding to a node 220 and a node 236. nodes 220 
and 236 ~ it is alike, respectively, and it receives, and the entitlement information recorded on the 
entitlement database 600 has the middle key values kio and kill, respectively, and has corresponding 
directions of the partial program identifier p. The approach by which the entitlement database 600 is 
generated by the entitlement information delivery process 700 based on the package of the program which 
the customer chose is explained in relation to drawing 7 in the bottom. 

[0038] A small entitlement is establishable to the set of many programs of various sizes using the tree 
method of program packaging this invention. The target set S is established using the set of the program 
packed. The minimum set of a tree node with which a subtree covers the target set S correctly is obtained as 
follows. 
[Equation 4] 

, T{S)=-Z cr fc/-£U [jnu)=S . |Z| (i^/h 

[0039] The entitlement information over Package S is the set ki of the middle key held in the node of T (S). 
As shown in a top, the set top terminal 400 decodes the program in S (accepting it) correctly with the set of 
this key. Theoretically, the tree method of this invention can build the entitlement information over the 
target set S of which arbitration, furthermore ~ however, if the program identifier p is assigned to 
arbitration, entitlement information will become so large that it is not allowed for the secure memory to 
which the set top terminal 400 was restricted. 

[0040] a process ~ as mentioned above, the head end server 300 performs the entitlement information 
delivery process 700 shown in drawing 7 , and generates and distributes the entitlement database 600 
required for each user in order to access the program which is a registered user. As mentioned above, the 
entitlement database 600 consists of corresponding directions and the corresponding middle key value ki of 
a partial program identifier to each node of the key tree 200 required for a customer to get the program key 
kp to the program which is a registered user. 

[0041] Therefore, the entitlement information delivery process 700 identifies first the program which the 
customer chose (710). After that, the entitiement information delivery process 700 finds minimum set [ of a 
tree node ] T (S). The subtree covers the target set S correctly. The target set S is disassembled to the 



maximum De Dis joint interval of the KONSEKYUTIBU program identifier p (720). Two program identifiers 
p are considered to be KONSEKYUTIBU when the integer over the binary expression is KONSEKYUTIBU. 
[0042] And covering T (S) is found to each interval (730). The corresponding partial program identifier p 
held in the node of covering T (S) to Set ki and each interval of a middle key is generated (740). At the end, 
the generated entitlement information downloads to the set top terminal 400 with the head end server 300 
(750), and program control is completed (760). 

[0043] The number of the intervals in the target set S can be set to I (S). In order to calculate covering T (S) to 
the single interval of the program identifier p to the order of the tree node of n, the key tree 200 of depth n 
must be asked. Therefore, the time amount complexity of the entitlement information delivery process 700 
serves as order of I(S) -n. Similarly, the magnitude of minimum covering T (S) serves as order of I(S) -n. The 
program identifier p which enables the program of related contents to carry out packaging of them 
efficiently should be assigned. In an example, a fundamental package is the gestalt of all the program 
identifiers p that have the bit prefix mu. 

[0044] The entitlement of such a single topic package is a single key in the key tree 200. Moreover, a 
multi-topic package can be assembled without a side effect. Entitlement information is only the set of a key 
to each TOPICS which consists of a multi-TOPICS package. According to this invention, the package 
specified by Prefix mu does not force to the set top terminal 400 so that a program may be decoded using 
zero prefix of the same die length. 

[0045] As mentioned above, the head end server 300 performs the program delivery process 800 shown in 
drawing 8 , and in order to decode a program and to transmit using the program identifier p, he gets the 
program key kp based on the program identifier p assigned to the program and the master key m. The 
program delivery process 800 is irr\portant for performing in off-line thru/or the real time except an actual 
transmitting step. As shown in drawing 8 , the program delivery process 800 starts the process using the 
principle of this invention by identifying the program which should be transmitted (810). 
[0046] After that, the program delivery process 800 takes out the program identifier p corresponding to the 
program from the program database 500 (820), and calculates the program key kp corresponding to the 
program (830). And a program is enciphered using the program key kp calculated at the front step (840). 
Finally, the program delivery process 800 transmits the program enciphered with the program identifier p 
(850), and program control ends it (860). 

[0047] It is important to suppose that it is possible to obtain the program key kp required for the program 
identifier p to be interleaved periodically, able to transmit it through transmission of program information, 
and for a customer change a channel at the time of a program, and decode a program. In another example, 
the program identifier p can be continuously transmitted on another control channel like a Barker channel. 
[0048] As mentioned above, the set top terminal 400 performs the decoding process 900 shown in drawing 9 
, using the entitlement information 600 and the received program identifier p memorized in order to obtain 
the program key kp, in order to decode the program, the program key kp is used and a customer decodes 
the program by which the entitlement is carried out. As shown in drawing 9 , the decoding process 900 
starts the process which used the principle of this invention on the occasion of the reception of the customer 
directions made to tune up to a specific channel (910). 

[0049] After that, the set top terminal 400 receives the suitable signal containing the enciphered program 
identifier p which was programmed and transmitted (920). The decoding process 900 takes out the 
entitlement information memorized from the entitlement database 600 (930). It judges whether the 
transmitted program is included (940). When the entry which has the partial-program identifier p which 
agrees in the leftmost digit bit of the receiving-agent identifier p at step 940 is judged not to exist in the 
entitlement database 600, a customer does not have an entitlement to the selected program and program 
control is ended (980). 

[0050] However, if an entry exists in the entitlement database 600 which has the partial-program identifier p 



corresponding to the leftmost digit bit of the received program identifier p, a customer has an entitlement to 
the selected program. Therefore, the program key kp is calculated using the middle key ki taken out from 
the entry of the entitlement database 600 (960). Specifically, the program key kp is calculated by operating 
suitable Hash Functions HO or HI so that each value of the bit of the low (n-r) order of the program 
identifier p may direct as follows. 
[Equations] 

[0051] Finally, the program is decoded using the obtained program key kp (970), and ends program control 
(980). When the received program is not a part of a customer's entitlement here, it is important that there is 
no entitlement information which has the partial identifier p corresponding to the low bit of the program 
identifier p which received with the transmitting program in the entitlement database 600. 
[0052] The decoding process 900 obtains a decode key, or moreover, as mentioned above Before a customer 
judges whether there is any entitlement to a demand channel In order that it can wait for a customer to 
demand a specific charmel and the decoding process 900 may obtain the transmitting program identifier p 
instead, all charmels are scanned periodically. It is important that the decode key to the storage in data 
storage 420 can be obtained, and a customer's entitlement can be judged beforehand again. 
[0053] a suitable Hash Function ~ as mentioned above, if Hash Function H is a pseudo-random bit 
generation machine, it can prove that mapping of p->kp is a pseudo-random function. Therefore, a code key 
cannot be predicted if actual Hash Function H is strong in cryptography. Therefore, if a piracy person has 
access only to encryption program broadcasting, it will not be able to break through a code in the 
knowledge about the key generated using the tree method of this invention. Therefore, only one concerns 
only become ensuring that video encryption algorithm can oppose to a well-known plain text attack. 
[0054] Hash Function H should hold two properties. Calculating Input x has that it must be difficult noting 
that the one half HO of an image (x) or HI (x) is given to the 1st to Hash Function H. Though this knows the 
image of both these one half, it is actually materialized also to the cryptography-hash [ which ] H with it 
difficult [ to carry out an inverted arch ]. Moreover, though HI (x) was known, it must be difficult to 
calculate HO (x), and the reverse of a thing is also the same. Even if it is difficult fundamentally to carry out 
the inverted arch of the function H, when the key of one one half is known, it becomes easier to complete 
the key of the remaining one half. If that is right, the piracy person who knows Program kp to Node u can 
calculate the key to the SHIBURINGU (sibling: sibling) node v, and can calculate the key to all the programs 
in the subtree of Node v. 

[0055] As one advantage of the tree method according to this invention, merge of an entitlement carried out 
in piracy may be made in inefficient. Pair pi, p2, and those ********** of a SHIBURINGU program are 
considered. A piracy person assumes that the program key kp corresponding to the programs pi and p2 of 
both which are two one half of H (kp (u)) is known. A piracy person still cannot do the inverted arch of the 
H, and cannot calculate kp (u). It is because H is a cryptography-Hash Function. Therefore, the entitlement 
carried out in the merged piracy must contain both kp (pi) and kp (p2) instead of compact kp (u). therefore, 
it is not a strategy good for a piracy person to divide to two or more set top terminals 400 which use a 
CHIPU (it is ~ although ~ it differs) entitlement. It is because a union ****** entitlement becomes very large. 
[0056] As mentioned above, the suitable pseudo-random Hash Function is indicated by reference, and 
O.Goldreich et al. and "How to Construct Random Functions" J.ACM and 33:792-807 (1986). 
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[Procedure revision] 

[Filing Date] August 13, Heisei 14 (2002. 8.13) 

[Procedure amendment 1] 

[Document to be Amended] Specification 

iltem(s) to be Amended] Claim 

[Method of Amendment] Modification 

[Proposed Amendment] 

[Claim(s)] 

[Claim 1] It is the approach of transmitting the program which can carry out access restriction to an end 
user, 

(A) The step which assigns the program identifier which has a binary value to said program, 

(B) The step which defines at least one master key. 



(C) The step which enciphers said program by using the program key obtained by applying at least one 
Hash Function to said master key based on the binary value of said program identifier, 
: (D) The approach characterized by having the step which sends said enciphered program to said end user 
with said program identifier. 

[Claim 2] Said program identifier is an approach according to claim 1 characterized by applying one of said 
the Hash Functions to each location of r\ bits of said program identifier according to the bit value to which it 
becomes from n bits and said program identifier corresponds. 

[Claim 3] (E) The approach according to claim 1 characterized by having further the step which provides 
rsaid end user with entitlement information based on the set of the. program acquired by said end user. 

[Claim 4] The approach according to claim 3 characterized by including some key trees based on the set of 
, the program acquired by said end user in said entitlement information. 

F [Claim 5] Said end user is an approach according to claim 3 characterized by using said program identifier 
; in order to obtain said program key from said memorized entitlement information. 

[Claim 6] Said program identifier is an approach according to claim 1 characterized by interleaving with 

transmission of said encryption program. 

, [Claim 7] Said program identifier is an approach according to claim 1 chariacterized by being transmitted on 
1 a control channel. 

' [Claim 8] It is the approach of transmitting a program to two or more end users, 

p (A) The step enciphered using the program key obtained by applying a Hash Function to the master key 
I based on the binary value of each bit position of said program identifier for the program which has a 
i program identifier recurrently, 

f (B) The approach characterized by having the step which transmits the enciphered program and said 
iprogram identifier to said end user. 

I^I^Claim 9] It is the approach of transmitting the program corresponding to at least one program package to 
itwo or more end users, 

r(A) The step which provides said end user with entitlement information based on the set of the program 
I'acquired by said end user, 

|(B) The step enciphered using the program key obtained by applying a Hash Function to the master key 
t'^ased on the binary value of each bit position of said program identifier for the program which has a 
i program identifier recurrently, 

1 (C) It has further the step which transmits said program identifier to said end user with the enciphered 
; program, 

• It is the approach characterized by obtaining said program key from the entitlement information said end 
user was remembered to be when said end user was a just user of said program. 
[Claim 10] It is the approach of decoding the enciphered program, 

(A) The step which receives the entitlement information which contains at least one middle key from a key 
tree based on the set of the program which said customer acquired from the provider of said program, 

(B) The encryption program enciphered by the program key, and the step which receives a program 
identifier, 

(C) The step which obtains said program key from the part said program identifier and said key tree were 
remembered to be, 

(D) The approach characterized by having the step which decodes said encryption program using said 
program key. 

[Claim 11] Said program identifier consists of n bits. 

It is the approach according to claim 10 which said master key is arranged on the root of said key tree, and is 
characterized by generating said key tree when said key tree applies a Hash Function to each node until the 
tree level of n is made. 



[Claim 12] It is the approach of decoding the enciphered program, 

(A) The step which receives the entitlement information which contains at least one middle key from the key 
tree based on the set of the program which a customer acquires from the provider of said program, 

(B) The encryption program enciphered by the program key, and the step which receives a program 
identifier, 

(C) The step which obtains said program key from the part the key tree was remembered to be from said 
program identifier and said middle key by applying a Hash Function to said middle key recurrently based 

\ On the binary value of said program identifier, 

; (D) The approach characterized by having the step which decodes said encryption program using said 
program key. 
i [Claim 13] Said program identifier consists of n bits, 

I It is the approach according to claim 12 which said middle key corresponds to the intermediate node in the 
^level r of said key tree, and is characterized by carrying out n-r time application of said Hash Function at 
i said middle key. 

[Claim 14] It is the system which transmits the program which restricts access to an end user, 
; (A) Memory which memorizes a master key and a computer readoxit possible code, 
|:; (B) It has the processor corrected with said memory in actuation, and this processor, . 
I (a) Assign the program, identifier which 
f (b) Define at least one master key, 

j (c) Encipher said program using a program key by applying at least one Hash Function to said master key 
based on the binary value of said prograiri identic 

^ (d) The system characterized by constituting so thatan encryption program may be transmitted to said end 

i user with said program identifier. 
[Claim 15] It is the system which transmits the program to which access to an end user was restricted, 
(A) Memory which memorizes a master key and the code which can be computer read, 

; (B) It has the processor connected with said rnemory on actuation. 
Said processor, 

(a) Encipher this program that has a program identifier using the program key obtained by applying a Hash 
i Function to a master key recurrently based on the binary value, of each bit position of said program 
: identifier, 

t (b) The system characterized by constituting so that this program eiiciphered by said end user and said 
program identifier may be transmitted. 

[Claim 16] It is the system which decodes the enciphered program, 

(A) Memory which memorizes a master key and the code which can be computer read, 

(B) It has the processor connected with said memory on actuation, and is said processor, 

(a) Receive the entitlement information containing the part of the key tree based on the set of the program 
acquired by said customer from the provider of this program, 

(b) Receive the encryption program enciphered by the program key and a program identifier, 

(c) Obtain said program key from said part said program identifier and said key tree were remembered to 

be, 

(d) The system characterized by constituting so that said encryption program may be decoded using said 
program key. 

[Claim 17] It is the medium by which the code means which can be computer read was mounted and which 
can be computer read, and this means that can be computer read is at the time of operation, 

(a) Assign the program identifier which has a binary value to a program, 

(b) Define at least one master key, 

(c) Encipher this program using the program key obtained by applying at least one Hash Function to said 



master key based on the binary value of said program identifier, 

(d) The medium which is characterized by transmitting this program enciphered with said program 
identifier to an end user and which can be computer read. 

[Claim 18] It is the medium by which the code means which can be computer read was mounted and which 
can be computer read, and this means that can be computer read is at the time of operation, 

(a) Receive the entitlement information containing the part of the key tree based on the set of the program 
[ acquired by said customer from the provider of this program, 

(b) Receive the encryption program enciphered by the program key and a program identifier, 

(c) Obtain said program key from said part said program identifier and said key tree were remembered to . 
be, 

(d) The medium which is characterized by decoding said encryption program using said program key and 
. which can be computer read. 



!■ [Translation done.] 



